XSS Crime Forum Raid: Arrests Revealed

The Myth Shattered: Did Europol Just Catch the Dark Web's Master Puppeteer? Imagine a digital underworld where anonymity is king, where ransomware gangs plot their next attack, and illicit transactions flow freely. For years, one figure stood at the heart of this murky realm: "Toha," the elusive administrator of XSS, a sprawling Russian-language cybercrime forum boasting over 50,000 members. He was the trusted arbiter, the silent guardian of their shadowy dealings. But that illusion shattered on July 22, 2025. Europol, in a coordinated swoop led by French Police, announced the arrest of a 38-year-old man in Kiev, suspected of being the XSS forum's top administrator. The news sent shockwaves through the **dark web**, igniting a frenzied panic and wild speculation among its denizens. Was it Toha? Or had law enforcement merely nabbed a pawn in a much larger game? The answer, as we'll uncover, is far more complex and chilling than anyone expected. The Crackdown Heard 'Round the Digital Underworld The arrest wasn't just another bust; it was a seismic event. Europol revealed the suspect's crucial role: acting as a "trusted third party," he mediated disputes between criminals and guaranteed the security of transactions on XSS. This wasn't just a bulletin board; it was a critical hub for some of the world's most notorious **ransomware groups**, including REvil, LockBit, Conti, and Qiliin. The Ukrainian SBU security service confirmed the apprehension, even releasing partially obscured photos from the raid on the suspect's Kiev residence. The images sparked intense debate across other **cybercrime forums**: who was this man whose face was now etched into the annals of **cybersecurity** history? And what secrets did he hold? The Ghost in the Machine: Unmasking "Toha" The consensus quickly coalesced around one name: Toha. For nearly two decades, Toha had been a pivotal figure, a titan of the **Russian cybercrime forum** scene. Since the arrest, his accounts on various platforms have fallen silent, a chilling testament to the impact of the raid. But the forum itself, XSS, isn't gone. It briefly vanished, only to reappear at a new address on the **deep web**, accessible solely through the anonymity of the **Tor network**. Yet, the new site felt different. Longtime members expressed confusion, even outright fear. The old moderators were gone, their explanations absent. Account balances reset to zero, demanding new deposits to register. "Rebuild security and trust," the new admin claimed. But for many, that trust was irrevocably broken. A Legacy Forged in Shadows: Toha's 20-Year Reign Who was Toha, this figure whose influence spanned decades? His alleged **cybercriminal career** began in 2005 as a founding member of Hack-All, a Russian-speaking forum that was promptly hacked itself. Undeterred, Toha rebranded it in 2006 to Exploit[.]in, a platform that would draw tens of thousands, becoming a veritable "Who's-Who" of wanted **cybercriminals**. In 2018, Toha announced the sale of Exploit, sparking rampant speculation: was a government entity secretly taking over? Toha vehemently denied these rumors, but the move hinted at his desire to step back, or perhaps, to reinvent himself. That same year, a partial backup of the ancient DaMaGeLaB forum was reborn as xss[.]is, with Toha at its helm. His reach was undeniable, his reputation legendary. Digital Breadcrumbs: Tracing a Shadowy Empire For years, Toha meticulously covered his tracks, but digital footprints are hard to erase. Cyber intelligence firm Intel 471, which tracks forum activity, uncovered a crucial detail: Toha used the same email address, `toschka2003@yandex.ru`, across multiple forum accounts, including Exploit, Antichat, and Carder[.]su. Further investigation by DomainTools.com revealed this email registered over a dozen domain names, many ending in .ua, the top-level domain for Ukraine. Intriguingly, nearly all these registrations listed the name "Anton Medvedovskiy" in Kiev. A single outlier, `ixyq[.]com`, pointed to a "Yuriy Avdeev" in Moscow. The LockBit Leader's Pursuit & A Tangled Web The plot thickened in February 2024, when "Lockbitsupp," the infamous leader of the LockBit ransomware group, reached out seeking help to identify Toha. He claimed Toha's real name was Anton Avdeev, a Russian man. Lockbitsupp's suspicions, it turned out, were fueled by a now-deleted 2022 tweet from a user named "3xp0rt," who asserted Toha was Anton Viktorovich Avdeev, born October 27, 1983.
Blog image 1

Image 1

Adding another layer of intrigue, Toha's email address, `toschka2003@yandex.ru`, was linked to a 2010 BMW sales thread where the contact person was "Anton Avdeev" with a specific phone number. Searching this number in Russian government records revealed it was tied to Anton Viktorovich Avdeev, born Oct 27, 1983, complete with a Russian tax ID, SIN, and a history of Moscow traffic violations. It seemed like an open-and-shut case. A Crucial Discrepancy: The Plot Thickens But here's where the narrative veers sharply. The Anton Avdeev identified by Lockbitsupp and the Russian records would be 41 years old. The suspect arrested by Europol? He's 38. This glaring age gap cast a dark shadow of doubt over the Avdeev lead. Was it a clever misdirection? Or had law enforcement truly apprehended the wrong man? Inside the Mind of a Former Cybercriminal: A Witness Speaks To shed light on this enigma, we consulted Sergeii Vovnenko, a former Ukrainian cybercriminal now working for a security startup. Vovnenko, known as "Flycracker," has a unique perspective. For years, he owned and operated thesecure[.]biz, an encrypted Jabber instant messaging server that Europol directly linked to the arrested suspect. He knew this world intimately. (Full disclosure: Vovnenko and I have a complicated history, having buried the hatchet after he attempted to frame me with heroin in 2013.) Vovnenko confirmed purchasing a credit card cloning device from Toha in 2009, shipped from Russia. He owned thesecure[.]biz until his arrest in 2014, believing it was stolen while he was jailed, possibly by Toha or another XSS administrator. But his most striking claim? Toha, he insisted, is Russian. "The French cops took the wrong guy," Vovnenko asserted, deepening the mystery. The True Identity Revealed? Unmasking the XSS Administrator So, who *did* the Ukrainian authorities arrest? The Avdeev trail, complete with its Russian origins and age discrepancy, strongly suggests a masterful deception by Toha to throw investigators off his scent. Sometimes, the simplest answer is the correct one. "Toha" is a common Slavic nickname for "Anton," which perfectly aligns with the "Anton Medvedovskiy" listed in the domain registrations tied to Toha's email. Further investigation by Constella Intelligence pinpointed an Anton Gennadievich Medvedovskiy living in Kiev, who will be 38 years old this December. This individual owns an email address (`itsmail@i.ua`) and an Airbnb account featuring a profile photo of a man whose hairline strikingly resembles the partially obscured suspect in Europol's released images. Crucially, Toha once shared on DaMaGeLab in 2005 that he had just finished 11th grade and was studying at university – a period when Medvedovskiy would have been around 18. And on December 11, 2006, fellow Exploit members wished Toha a happy birthday. Records from a 2022 hack of Ukraine's public services portal reveal Mr. Medvedovskiy's birthday is December 11, 1987. The pieces fit. The Ukrainian authorities likely arrested Anton Gennadievich Medvedovskiy, the true "Toha" – a man who had built and overseen a vast **cybercrime empire** from within Ukraine. The Aftermath: Chaos, Collapse, and the Cold Reality of Digital Forensics The arrest has plunged the **Russian cybercrime forum** scene into unprecedented disarray. While XSS quickly relaunched on a new Tor address, the changes were drastic and unsettling. The old moderators vanished, account balances zeroed out, and a new deposit was required to join. The new "admin" promised security, but the trust was gone. The true terror, however, lies in what authorities now possess. "The myth of the 'trusted person' is shattered," warned a user named "GordonBellford" on another forum. Ukrainian and French authorities have acquired not just the XSS forum's database, but also "several years worth of private messages" and "contact rosters and other user data linked to the seized Jabber server." This isn't just an archive; it's a goldmine for **digital forensics**. As GordonBellford chillingly cautioned: > "It is material for analysis that has ALREADY BEEN DONE. With the help of modern tools, they see everything: > > * Graphs of your contacts and activity. > * Relationships between nicknames, emails, password hashes and Jabber ID. > * Timestamps, IP addresses and digital fingerprints. > * Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms. > > They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers."
Blog image 2

Image 2

For anyone involved in **cybercrime**, this is the ultimate nightmare. For **cybersecurity professionals** and those protecting digital assets, it's a stark reminder: the illusion of anonymity is crumbling, and the reach of law enforcement, amplified by advanced **AI analysis** and **threat intelligence**, is longer and more precise than ever before. The game has truly changed.

Comments

Post a Comment

Popular posts from this blog

Cameroon Election: Kamto Banned. Biya's Win Sealed?

Image
Could a leader, already the world's oldest head of state at 92, rule until he's nearly 100? This isn't a dystopian novel, but the very real prospect facing **Cameroon** as President Paul Biya gears up for an unprecedented eighth term. But the road to October's presidential election is already fraught with drama, intrigue, and a seismic exclusion that has rocked the nation's political landscape. **A Shocker at the Starting Line: The Kamto Exclusion** Just as the race was heating up, a bombshell dropped. **Cameroon's constitutional council** upheld a decision to bar firebrand **opposition leader Maurice Kamto** from the ballot. This isn't just a procedural hiccup; it's a profound blow to the opposition. Kamto, a significant figure in **Cameroon politics**, was sidelined due to an internal squabble within his endorsing party, Manidem. His lawyers, however, were quick to label the rejection a "political" rather than a "legal" move, igni...
Read more

Hong Kong Maids Busted Selling Illegal Abortion Pills

Image
Imagine facing a life sentence, not for a violent crime, but for a desperate act born out of fear and secrecy. In **Hong Kong**, this chilling reality now confronts eleven **foreign domestic workers** who have been arrested on suspicion of "child destruction" and illegal abortions. This isn't just a legal case; it's a stark window into the hidden struggles within the city's vast domestic worker community. **The Grim Discovery: A Life Unborn, A Secret Uncovered** Image 1 The investigation unfolded in June, beginning with an urgent call for paramedics. A 39-year-old **domestic helper**, collapsing in her employer's home, was in dire need of help. But the paramedics uncovered more than just a medical emergency. Tucked away in a laundry basket in her room, they found a dead foetus, tragically confirmed to be at least 28 weeks old – well beyond the legal limit for most abortions in **Hong Kong**. The discovery didn't end there. Police also found dru...
Read more

DR Congo Massacre: IS-Linked Rebels Kill Christians in Komanda

Image
Massacre in Komanda: ISIS Affiliate's Brutal Attack Leaves Dozens Dead Image 1 **Imagine this:** A night of prayer turns into a bloodbath. A peaceful vigil shattered by gunfire and flames. This isn't a fictional horror; it's the grim reality in the Democratic Republic of Congo (DRC), where a shocking attack by an ISIS affiliate has left dozens dead. Learn the chilling details and why this matters to you. Image 2 A Night of Terror in Komanda Image 3 The sleepy town of Komanda, nestled in DRC's Ituri province, was ripped apart by violence. Allied Democratic Forces (ADF) fighters, now affiliated with the Islamic State's Central African Province (ISCAP), launched a brutal assault. The initial target: a church where worshippers were holding a night vigil. The scene that followed was one of unimaginable horror: the piercing screams of the dying, the acrid smell of burning flesh, and the chilling silence that descended afterward. ...
Read more