The arrest of the alleged administrator of the Russian-speaking forum XSS[.]is, known under the alias Toha, has become a critical inflection point for the entire underground market. According to law enforcement, on July 22, 2025, a 38-year-old man was detained in Ukraine as part of an investigation that had been pursued for years by French police, Europol, and Ukrainian authorities. Investigators consider him a central figure in the trade of malicious tools, stolen databases, and illicit access credentials, as well as a beneficiary of ransomware operations. The estimated profits—exceeding seven million euros—remain contested but striking.
Founded in 2013 under the name DaMaGeLaB, the forum was rebranded as XSS in 2018 following the arrest of its previous administrator, Ar3s. Known for its reputation-based mechanisms and a strict taboo on attacks against CIS countries, XSS was regarded as a cornerstone of the cyber underground. Toha himself was seen as a veteran of the early 2000s, with ties to older platforms such as Hack-All and Exploit[.]in, and was widely believed to have orchestrated the relaunch of DaMaGeLaB into XSS. Researchers have linked him to an individual named Anton Avdeev, though law enforcement has yet to confirm this due to ongoing investigations and efforts to identify other participants.
The arrest rattled not only XSS’s image but also the established logic of trust. Its public-facing domain quickly went offline, though the onion mirror remained accessible. A frantic purge of old threads began, moderators fell silent, and users openly speculated about who controlled the infrastructure. On August 3, a new administrator declared that services had been migrated to new servers, with fresh clearweb and darknet addresses launched, while backend systems and Jabber accounts had allegedly not been compromised. He claimed to have notified moderators privately on July 27, though many ignored the message. Meanwhile, reports emerged that some former moderators had defected, creating a rival onion forum named DamageLib, sending personal invitations to XSS users, and asserting that the original site was fully under police control.
DamageLib quickly emerged as the main beneficiary of this first wave of migration. By August 27, it had registered 33,487 accounts, nearly two-thirds of XSS’s 50,853-user base. Yet activity levels paled in comparison: just 248 threads and 3,107 posts in its first month, against more than 14,400 public posts on XSS in the final full month before domain seizure. Market dynamics reflected the turbulence: traffic statistics from SimilarWeb showed Exploit enjoying a temporary surge of nearly 24% at the peak of instability on July 24, before settling back down, while XSS’s traffic declined. Users have since shunned the new clearweb domain XSS[.]pro, with visible avoidance in open-web traffic.
The reshuffling of XSS’s leadership deepened the turmoil. Veteran moderators were banned and replaced by Flame, W3W, and locative—figures with little to no reputation, sparking uproar. Conflicts escalated into bans over critical comments, while seasoned members withdrew or became less active. To stabilize the situation, the administrator recruited the well-known underground actor Stallman, active across Exploit, XSS, RAMP, Rutor, and Runion, to moderate vendor and leak sections. In an August 18 post, Stallman was described as de facto head of the ransomware community—a move that revived the old controversy from Toha’s era, when XSS banned LockBit following personal threats to the administration. This appointment rekindled debates over whether the new leadership might soften the historic prohibition on ransomware discussions.
The deposit system—long a cornerstone of XSS’s reputation model—became another flashpoint. Users estimated outstanding obligations at 50–55 BTC (around $6.17 million at the end of August). The new administrator admitted full reimbursement was impossible and proposed partial payouts. A leading option—proportional refunds for all verified withdrawal requests—won about 40.8% of votes. Reported requests totaled 7.015942 BTC and 480.527 LTC, valued at roughly $788,000 and $54,700 respectively. On August 28, proportional refunds were issued, with some recipients publicly confirming receipt. Still, complaints persisted over trade sections filling with unchecked newcomers and the reappearance of CIS-targeted ads—once explicitly banned.
Meanwhile, DamageLib began experimenting with its own trust mechanisms. Early moderators—including cryptocat, fenix, sizeof, zen, stringray, and rehub—urged newcomers not to reuse old nicknames to reduce attribution risks. Later, they announced a system of “phantom accounts”, reserving established handles for later verification so former owners could reclaim their reputations. While controversial, some members reportedly succeeded in restoring their identities. Discussions on legitimacy drew in references from Exploit: user Fax cited moderator Quake3, who allegedly confirmed that DamageLib was indeed run by the former XSS team. Well-known aliases such as antikrya and Ar3s were observed across both forums, though not always verified. Stallman himself registered on DamageLib as Stallman2 on August 27, claiming he remained active on XSS[.]pro solely to recover his deposit, while insisting that XSS was now under police control.
XSS’s technical infrastructure was also retooled on the fly. The administrator announced cooperation with darkcode.technology, represented by user DCT, as the provider of an anti-DDoS solution called Ghost FastFlux for new clearweb and darknet addresses. While positioned as a product under testing, it was not offered for sale. Yet at the user level, this did little to restore order. Trade threads increasingly resembled low-quality scams, and a proposed subscription model for spam filtering collapsed quickly. Discussions on both platforms circled around ransomware policy, with cautious support on DamageLib reflecting its bid to seize narrative ground that XSS’s leadership has hesitated to claim.
Beneath the infrastructure debates lies the deeper question of identity and authority. Users lament the disappearance of old figures and express unease at the sporadic appearances of aliases such as c0d3x, lisa99, stepany4, and proexp. Uncertainty over who last accessed accounts, combined with selective bans for criticism, fuels mistrust. Many keep backup options open, considering Exploit, RAMP, and Verified, though even these are clouded by rumors of honeypots and external surveillance.
Viewed in full, XSS[.]pro now appears as a platform with eroding trade quality, fraught financial mechanics, and opaque leadership motives. DamageLib has amassed registrations rapidly but has yet to generate meaningful discourse. With vast overlap in user bases, the community’s focus has shifted from commerce to the fundamental question of trust. Ultimately, transparent governance, clear stances on sensitive topics like ransomware, predictable verification processes, and an honest resolution of the deposit crisis will determine which forum becomes the true center of gravity. For now, however, the scene is best described not in terms of winners, but as a fractured ecosystem in search of a new equilibrium.
