Report on the Takedown of the XSS Cybercrime Forum Administrator

Executive Summary

On July 22, 2025, a coordinated international law enforcement operation resulted in the arrest of a key administrator of the Russian-language cybercrime forum, XSS. This action, led by the French Police with support from Europol and Ukrainian authorities, represents a significant blow to the cybercrime ecosystem. The operation directly supports several United Nations Sustainable Development Goals (SDGs), particularly SDG 16 (Peace, Justice and Strong Institutions) by combating organized crime and strengthening the rule of law, and SDG 17 (Partnerships for the Goals) through effective international cooperation. This report details the operation, the investigation into the suspect’s identity, and the implications for global security and sustainable development.

Operational Details and Investigation

International Law Enforcement Action

A long-running investigation culminated in the arrest of a 38-year-old Ukrainian national in Kiev. The operation was a collaborative effort, demonstrating a commitment to global partnerships (SDG 17) in the fight against transnational crime.

• Lead Agency: French National Police
• Supporting Agencies: Europol, Security Service of Ukraine (SBU)
• Suspect: An unnamed 38-year-old male, believed to be the pivotal administrator known as “Toha.”
• Role of Suspect: Acted as a trusted arbitrator for criminal transactions and guaranteed security on the XSS platform, facilitating illicit financial flows contrary to the principles of SDG 16.

Profile of the XSS Cybercrime Forum

The XSS forum was a major hub for Russian-speaking cybercriminals, undermining economic stability (SDG 8) and threatening digital infrastructure (SDG 9). With over 50,000 members, it served as a marketplace and collaboration platform for numerous high-profile threat actors.

• Platform: XSS, formerly DaMaGeLaB and associated with exploit[.]in.
• Membership: Over 50,000 users.
• Associated Criminal Groups: The SBU confirmed the forum was used by members of notorious ransomware groups, including:
  • REvil
  • LockBit
  • Conti
  • Qiliin

Investigation and Suspect Identification

The investigation pieced together a digital trail spanning nearly two decades to identify the administrator. The consensus within the cybercrime community points to an individual with the handle “Toha.”

1. Early Career: The suspect’s career began around 2005 as a founding member of the “Hack-All” forum.
2. Forum Administration: “Toha” rebranded the forum to “exploit[.]in” in 2006 and later became the administrator of “xss[.]is” in 2018.
3. Digital Footprint: An email address, toschka2003@yandex.ru, linked “Toha” to multiple forum accounts and over a dozen domain registrations. Many of these domains were registered to an “Anton Medvedovskiy” in Kiev, Ukraine.
4. Corroborating Evidence: Public records exposed in a 2022 data breach from a Ukrainian public services portal show that an Anton Gannadievich Medvedovskiy, residing in Kiev, has a birthdate of December 11, 1987. This aligns with forum posts celebrating “Toha’s” birthday on December 11 and makes him 38 years old at the time of the arrest, matching the police report.

Implications for Sustainable Development Goals (SDGs)

SDG 16: Peace, Justice and Strong Institutions

This operation is a clear example of progress toward SDG 16. By dismantling a key node in the cybercrime network, authorities have advanced several key targets:

• Target 16.1 & 16.4: The action directly combats organized crime and significantly reduces illicit financial and arms (malicious software) flows.
• Target 16.3: It promotes the rule of law at national and international levels by holding criminals accountable for their actions.
• Target 16.A: The seizure of the forum’s database and Jabber server logs strengthens relevant national institutions by providing invaluable intelligence to prevent future criminal activities and prosecute other offenders.

SDG 8: Decent Work and Economic Growth

Cybercrime forums like XSS directly threaten global economic stability. The ransomware and data theft operations facilitated on the platform cause billions of dollars in damages to businesses, disrupt legitimate economic activity, and undermine trust in the digital economy. This law enforcement action helps protect industries and secure a safer environment for sustainable economic growth.

SDG 9: Industry, Innovation, and Infrastructure

The security of digital infrastructure is a prerequisite for innovation and industrial development. The criminal activities organized on XSS target this very infrastructure. By neutralizing a key administrator and disrupting the forum, this operation contributes to building more resilient and secure digital infrastructure, fostering a safe environment for technological advancement.

SDG 17: Partnerships for the Goals

The success of this takedown was contingent on a multi-stakeholder partnership. The collaboration between France, Ukraine, and the pan-European agency Europol exemplifies the international cooperation required to address transnational challenges like cybercrime, fulfilling the core objective of SDG 17.

Aftermath and Community Impact

The arrest has sent shockwaves through the cybercrime community, shattering the “myth of the trusted person” and causing widespread panic. Although the XSS forum has resurfaced at a new address, it has lost its trusted moderators and the confidence of its members, who fear their data has been compromised.

The seizure of the forum’s database and two years of Jabber server logs provides law enforcement with a trove of actionable intelligence. As one forum member noted, authorities now possess “ready-made dossiers” on users, created by analyzing:

• Graphs of contacts and activity.
• Relationships between nicknames, emails, and other identifiers.
• Timestamps, IP addresses, and digital fingerprints.
• Unique writing styles and patterns for cross-platform identification.

This data will enable further law enforcement actions, reinforcing the commitment to justice and strong institutions (SDG 16) and creating a more secure global digital environment.

1. Which SDGs are addressed or connected to the issues highlighted in the article?

• SDG 16: Peace, Justice and Strong Institutions

  This is the most relevant SDG as the article’s core theme is the fight against organized crime through international law enforcement cooperation. The arrest of a key cybercrime forum administrator by French and Ukrainian police, coordinated by Europol, is a direct effort to promote justice and build stronger, more effective institutions capable of tackling complex, transnational crimes. The article details the disruption of a major hub for cybercriminals, including ransomware groups, which directly relates to making societies safer and holding criminals accountable.

• SDG 17: Partnerships for the Goals

  The article explicitly highlights a multi-agency, cross-border partnership. The investigation was “led by the French Police,” involved “the European police agency Europol,” and resulted in an arrest in Kiev by “Ukraine’s SBU security service.” This collaboration is a clear example of a partnership to achieve a common goal, specifically combating crime, which reinforces the principles of SDG 17 by demonstrating effective international cooperation to address global challenges.

• SDG 9: Industry, Innovation and Infrastructure

  The issues discussed are intrinsically linked to digital infrastructure. The article describes how cybercrime forums like XSS and the Tor network are used for illicit activities, threatening the security and reliability of the global digital infrastructure. The law enforcement action to seize the forum’s domain and servers is an effort to build more resilient and secure infrastructure by removing criminal elements that undermine its integrity and the safety of its users.

• SDG 8: Decent Work and Economic Growth

  While not a primary focus, this SDG is connected through the negative economic impact of the criminal activities discussed. The article mentions that the XSS forum was a hub for “cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.” These groups, particularly the “rapacious and destructive ransomware affiliate group Lockbit,” cause significant financial damage to businesses and public institutions, disrupting economic activity and hindering growth. Combating these groups helps protect the economy.

2. What specific targets under those SDGs can be identified based on the article’s content?

SDG 16: Peace, Justice and Strong Institutions

1. Target 16.4: By 2030, significantly reduce illicit financial and arms flows, strengthen the recovery and return of stolen assets and combat all forms of organized crime.

   The article directly addresses this target by describing the takedown of a major organized crime platform. The XSS forum, with its 50,000 members including ransomware groups, facilitated organized cybercrime. The arrest of its administrator is a clear action to “combat all forms of organized crime.” The forum’s role as a place where the “security of transactions” between criminals was guaranteed points to its function in facilitating illicit financial flows.

2. Target 16.a: Strengthen relevant national institutions, including through international cooperation, to build capacity at all levels, in particular in developing countries, to prevent violence and combat terrorism and crime.

   The entire operation described is an embodiment of this target. The collaboration between the French Police, Europol, and Ukraine’s SBU demonstrates “international cooperation” to “combat… crime.” This action strengthens the capacity of these national and international institutions to tackle sophisticated cybercrime operations that cross multiple borders.

SDG 17: Partnerships for the Goals

1. Target 17.16: Enhance the global partnership for sustainable development, complemented by multi-stakeholder partnerships that mobilize and share knowledge, expertise, technology and financial resources…

   The joint investigation is a multi-stakeholder partnership among law enforcement agencies from different countries (France, Ukraine) and a regional body (Europol). They mobilized their respective knowledge, expertise, and resources to track and arrest a key figure in the cybercrime world, perfectly illustrating the partnership model described in this target.

SDG 9: Industry, Innovation and Infrastructure

1. Target 9.1: Develop quality, reliable, sustainable and resilient infrastructure… to support economic development and human well-being…

   The article shows a threat to the reliability and resilience of digital infrastructure. Cybercrime forums and the activities they support undermine trust and security online. The law enforcement action to seize the forum and its servers is a direct intervention to make the digital infrastructure more secure and resilient against criminal exploitation, thereby protecting its ability to support legitimate economic activity and well-being.

3. Are there any indicators mentioned or implied in the article that can be used to measure progress towards the identified targets?

Target 16.4 (Combat organized crime)

• Qualitative Indicator: The successful takedown of a major cybercrime forum (XSS) and the arrest of its administrator (“a pivotal figure in the crime forum scene”) serve as a direct indicator of progress in combating organized crime.
• Implied Indicator: The article notes that after the forum was seized and relaunched, “existing members saw their forum account balances drop to zero.” This implies the confiscation of digital assets, which relates to indicators measuring the value of seized assets from criminal operations.

Target 16.a (Strengthen institutions through cooperation)

• Indicator: The existence of the joint operation itself. The article’s central story about the “long-running investigation led by the French Police” with Europol and Ukrainian authorities is a tangible example of international cooperation in practice. The number of such successful joint operations could be used as a metric for progress.

Target 9.1 (Resilient infrastructure)

• Indicator: The seizure of the cybercrime forum’s web address and servers. The article states that authorities “plastered their seizure notice on the forum’s homepage.” This action is a measurable step in removing malicious components from the internet, thus contributing to a more resilient overall infrastructure.

4. Table of SDGs, Targets, and Indicators

Source: krebsonsecurity.com