The Downfall of XSS Forum
XSS forum
  • Table of contents

The author

user_image
Or Shichrur

Cyber Threat Intelligence | OSINT | Multilingual

Table of contents

Related Articles

Research

Facebook Hidden Friends Vulnerability (With “fb-hfc” released)

We reported the hidden friends vulnerability to Facebook; this lets attackers reconstruct the private Friends...
May 29, 2014
Learn more
Tech Talks

Welcome to The Cyber Feed

Over the past three decades, IT security solutions have developed to effectively secure most networks...
Jun 30, 2015
Learn more
Dark Web

The Downfall of XSS Forum

Jul 24, 2025

On July 23rd the notorious Russian-language hacking forum XSS.is was seized by French law enforcement agencies. Interestingly, just a few hours before the takedown, Cyberint, now a Check Point Company researchers were informed by “Loki,” a well-known moderator on BreachForums, that one of XSS’s admins had allegedly been arrested by the French.

This follows a series of actions by French authorities, who have arrested BreachForums admins over the past few months. However, targeting admins of a Russian-speaking forum marks an unprecedented shift in enforcement—unlike previous cases involving English-speaking forums like BreachForums and RaidForums.

Loki’s message to Cyberint
The XSS domain

About XSS[.]is

XSS[.]is, a prominent online forum and marketplace, had been a central hub for cybercriminals since 2013, boasting over 50,000 registered users. It was a go-to platform for trading stolen data, malware, access to compromised systems, and ransomware services.

French authorities began investigating XSS[.]is in July 2021. This investigation escalated in September 2024 when French police, with support from Europol, deployed investigators to Ukraine.

According to Europol, XSS[.]is was “a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit.”

The culmination of these efforts came on July 22 in Kyiv, Ukraine, with the arrest of a suspect believed to be the administrator of XSS.is. This arrest was part of a larger coordinated operation to gather evidence and dismantle the forum’s criminal infrastructure.

Authorities haven’t publicly named the suspect, but Europol stated that this individual had been active in the cybercrime ecosystem for nearly two decades and maintained close ties with major threat actors. The suspect is alleged to have profited over $8.2 million from their activities.

Other Major Forums That Are Still Active

Although XSS[.]is was a major forum, there are still many forums that are active including DarkForums, Exploit[.]in, Ramp Forums and more. Cyberint continuously add sources to it’s monitoring to ensure comprehensive and continuous coverage.

About Cyberint, Now a Check Point Company

Cyberint, otherwise known as Check Point Infinity External Risk Management, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact.

The  solution provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web.

Schedule Your Demo Now

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start