Major Cybercrime Forum XSS Dismantled, Operator Identified as Ukrainian National
KYIV, UKRAINE – A major Russian-language cybercrime forum known as XSS (Exploit) has been taken down by authorities, and investigations strongly suggest it’s operator was a Ukrainian national named Anton Gannadievich Medvedovskiy, according to research by Constella Intelligence. The takedown has sent ripples of fear and distrust through the underground cybercrime community.XSS, a prominent marketplace for illicit goods and services including stolen data, malware, and hacking tools, was abruptly seized in recent weeks, with a notice appearing on its homepage indicating law enforcement action. Following the seizure,a relaunched version of the forum appeared on a new Tor address,but with important changes that have fueled suspicion among its members. Trusted moderators were removed, existing user account balances were wiped, and new registration now requires a deposit.The new administrator claimed the changes were necessary to rebuild security and trust, but these assurances have failed to quell concerns.
Investigators initially struggled to identify the individual behind the “Toha” alias used by the forum’s operator. Though, analysis of domain registration records linked to the email address toschka2003@yandex.ru revealed a connection to Anton Medvedovskiy. Constella Intelligence identified an anton Gannadievich medvedovskiy residing in Kyiv, Ukraine, who turns 38 in December. This individual owns the email address itsmail@i.ua and maintains an Airbnb account with a profile photo bearing a resemblance to the suspect in images released by Ukrainian police. Medvedovskiy has not responded to requests for comment.
Further evidence links Medvedovskiy to the “Toha” identity.forum posts from 2005 and 2006 indicate “Toha” was a university student who celebrated a birthday on December 11th. Records from a 2022 hack of the Ukrainian public services portal diia.gov.ua confirm Anton Medvedovskiy’s birthdate as December 11, 1987.
The takedown has resulted in a significant data breach, with Ukrainian and french authorities believed to have gained access to years of private messages, contact lists, and user data from both the forum and its associated Jabber server.
Forum members are now expressing widespread fear that their activities have been compromised.one user, “GordonBellford,” warned in an Exploit forum thread that authorities have already analyzed the seized data using advanced tools, creating detailed profiles of forum users based on their contacts, activity, writing styles, and even typographical errors. “They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers,” GordonBellford wrote.
