Redazione RHC : 7 September 2025 09:33
The arrest of the alleged administrator of the Russian-language forum XSS[.]is, nicknamed Toha, has become a turning point for the entire black market. According to law enforcement, on July 22, 2025, a 38-year-old man was arrested in Ukraine as part of a years-long investigation by the French police, Europol, and Ukrainian intelligence services. The investigation identified him as the organizer of the trade in malicious tools, databases, and illegal access, as well as the beneficiary of ransomware attacks.
The estimate of the possible profit fluctuates and is controversial, but the amount mentioned exceeds seven million euros. The XSS forum itself has been operating since 2013 and was once called DaMaGeLaB. It positioned itself as a platform with reputation mechanisms and a strict taboo on attacks on CIS countries. Toha is considered a veteran of the 2000s, former member of old platforms like Hack-All and Exploit[.]in, involved in the relaunch of DaMaGeLaB under the XSS brand in 2018, after the arrest of the previous admin with the nickname Ar3s. Researchers associate Toha with the name Anton Avdeev, but there is still no official confirmation from security forces, which is explained by the ongoing investigation and attempts to identify other participants.
The detention has affected not only the XSS image, but also the usual logic of trust. The public domain on the open Internet quickly became unavailable, but the Onion Mirror remained in place. The forum began a nervous cleanup’ of old threads, moderators remained silent for a long time, and users began arguing about who controlled the infrastructure. On August 3, the new administrator announced that all services had been transferred to other servers, that new addresses had been launched on the clearweb and darknet, and that the backend and Jabber had presumably not been intercepted.
He claimed to have informed moderators in a closed thread on July 27 about the current situation, but that the request was ignored. According to this version, some moderators left the project and opened their own Onion forum called DamageLib, while simultaneously sending personal invitations to XSS users and claiming that the old site was completely under police control.
DamageLib was the main beneficiary of the first wave of migration. By August 27, 33,487 accounts were registered, or nearly two-thirds of the XSS database, which includes 50,853 users. However, there was no lively discussion. In the first month, 248 topics and 3,107 messages appeared on DamageLib, while over 14,400 public posts were registered on XSS in the last full month before the domain seizure.
Another noteworthy market reaction was highlighted by traffic statistics. According to SimilarWeb, Exploits spiked by nearly 24% during the height of XSS turmoil; the peak was reached on July 24, after which traffic began to decline to normal levels and XSS plummeted. Users are clearly avoiding the new XSS[.]pro domain on the open Internet, and it’s important to remember that we’re talking specifically about clearweb traffic.
The change in the XSS team added fuel to the fire. The old moderators were banned and replaced by the nicknames Flame, W3W, and Locative. The reputation of the former two on the site was almost zero, which caused a strong reaction. Discussions and blocks for critical comments began, and experienced participants disappeared from discussions or began posting less frequently.
To deescalate the situation, the administrator appointed a well-known underground figure with the handle Stallman, active in Exploit, XSS, RAMP, Rutor, and Runion, to moderate. A separate post on August 18 stated that Stallman was the de facto leader of the ransomware community and would oversee the vendor and leak sections. This immediately revived an old conflict dating back to the Toha era, when LockBit was banned from XSS after making personal threats to the administration. Demands to restore the LockBit avatar began appearing on the forum, and commenters began discussing whether the new team would loosen the previous ban on discussing extortionists. There is no confirmation of such a change of course, but the very fact of Stallman’s appointment fueled suspicions.
The crisis of trust was exacerbated by the history of the deposit. At XSS, they served as a financial anchor of reputation, and after the arrest, the question of “who and how will return the money” became central. Users estimate total liabilities at 50-55 bitcoins, which at the end of August amounted to approximately $6.17 million. The new administrator admitted that there were no funds for a full refund and put several options for partial payments to a vote.
The main idea in the discussion was to pay an equal percentage of the amount to everyone who successfully submitted a withdrawal request, with approximately 40.8% of the vote in favor. A separate summary included completed requests for 7.015942 BTC and 480.527 LTC, calculated at approximately $788,000 and $54.700. On August 28, the administrator reported transferring proportional amounts to requesters, and some recipients confirmed this publicly. At the same time, participants complained that the trading sections were flooded with offers from unverified newcomers, and that advertisements targeting CIS countries were being returned without proper moderation, even though this was previously prohibited by the rules.
Meanwhile, DamageLib was developing its own trust model. In the first few weeks, moderators cryptocat, fenix, sizeof, zen, stringray, rehub, and others asked newcomers not to use old nicknames to reduce attribution risks. The team later announced “ghost accounts.” They claim this is a reserve of known names with subsequent verification, so that previous owners can restore their nicknames and accumulated reputation.
The mechanism raised concerns, but there were reports that some participants had already restored their identities. In a discussion about the moderators’ legitimacy, they cited correspondence with the Exploit team. A user with the nickname Fax referenced a message from an Exploit moderator named Quake3, who confirmed that the former XSS team was behind the launch of DamageLib. Meanwhile, older nicknames like antikrya and Ar3s have been spotted on both platforms, although verification on DamageLib is not always possible. Stallman himself registered on DamageLib as Stallman2 on August 27 and claims he continues to moderate XSS[.]pro only to get his deposit back, calling XSS a police project.
XSS’s technical profile was also changing along the way. The administrator stated that he was working with the darkcode.technology team, which, under the forum handle DCT, presented itself as the developer and provider of the Ghost FastFlux anti-DDoS solution for new addresses on the clearweb and darknet. According to them, the technology is in the testing phase and could theoretically become a product, but it is not for sale. At the user level, this has had little effect on the sense of order. The marketplace continued to operate, but more and more ads appeared low-quality and fraudulent, and an attempt to introduce a paid subscription to filter spam quickly proved a failure. Discussion threads discussed removing the commercial section altogether. On DamageLib, a parallel debate raged over whether to allow conversations about extortionists. Cautious “pro” groups prevailed, reflecting an attempt to intercept an agenda where XSS cannot or does not dare to provide a clear answer.
What remains is a layer of personality and symbols, which in the underground are increasingly more important than interfaces. Users are openly concerned about the disappearance of old authorities and note the rare appearance of nicknames like c0d3x, lisa99, stepany4, proexp, and also write that it is impossible to verify when other known participants last logged into their accounts. Mistrust is reinforced by targeted bans for critical posts and by the very uncertainty about who makes the decisions and why. In this context, part of the public recalls backup methods such as Exploit, RAMP, and Verified, although here too there is talk of “bait” and external control.
Looking at the bigger picture, XSS[.]pro appears to be a platform with poor trading quality, painful financial mechanisms, and unclear motivations on the part of the new administration.
DamageLib has quickly gathered a number of registrations, but hasn’t yet managed to transform them into a steady stream of meaningful discussions. The intersection of user bases is enormous, and the community’s focus is not on transactions, but on fundamental issues of trust. It’s transparency of management, clear rules on sensitive topics like extortionists, predictable verification regulations, and an honest resolution to the deposit issue that will determine who becomes the focal point.
For now, it’s appropriate to talk about a pause and the search for a new equilibrium, not a winner.
Redazione