XSS.is

XSS.is was a Russian-language underground cybercrime internet forum known for facilitating the trade of malware, exploits, access to compromised systems, and offering a meeting ground for threat actors and ransomware affiliates.

XSS.is

Type of site	Internet forum
Available in	Russian
Predecessor(s)	DaMaGeLaB
Owner	"Toha"
Created by	Sergey Yarets
URL	xss.is (defunct) xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion (Accessing link help) (defunct)

History

XSS.is was created in 2013 as a hub for cyber criminals and APT actors to trade, buy, and sell malware, ransomware as a service, and exploits.^[1] The forum was created as a successor to the forum DaMaGeLaB created in 2004 and after the arrest of forum admin Sergey Yarets in December 2017, known as Ar3s on the forum, XSS.is became the main successor.^[2] At its peak it had more than 50,000 users registered and active.^[3] It was considered one of the longest running cyber crime forums on the internet.^[4]

Shut down and seizure

French authorities have been monitoring and intercepting data and messages through a Jabber-based messaging service known as thesecure.biz which was ran by the admins of XSS.is and used by cyber criminals since early 2021.^[5] Because of the leaked messages, authorities were able to estimate a profit by the administrator to be ~7 million euros (8 million USD).^[6] Through the interception of data and wiretaps by French authorities, they were able to identify the suspected administrator of XSS.is which led to his arrest.^[7] The administrator, who ran the forum under the alias Toha, would be found to be living in Kyiv, Ukraine.^[8] Moments before the forum was shut down members started talking about the inability to message on thesecure.biz noting it may have been hijacked.^[9] These investigations would lead to his arrest and the site's seizure on July 22, 2025.^[10]