-
French and Ukrainian authorities dismantled the XSS.is cybercrime forum and arrested its alleged administrator in Kyiv.
-
Investigators say the suspect earned over €7 million by operating a trusted escrow service for cybercriminals.
-
Google warns Russian influence groups now target Europe and the United States while expanding AI-assisted cyber operations.

French and Ukrainian authorities have dismantled one of the world’s most influential Russian-language cybercrime forums after arresting its suspected administrator in Kyiv. The operation marks a major victory against cybercriminal networks, but experts warn the wider underground economy continues to thrive.
Europol coordinated the operation, called Ratatouille, which targeted XSS.is after nearly two decades of criminal activity. Investigators arrested a 38-year-old man they believe managed the platform and operated its trusted escrow service.
Authorities allege the suspect collected more than €7 million by acting as a neutral middleman for illegal transactions. That service helped buyers and sellers complete deals while reducing fraud inside the cybercriminal marketplace.
XSS.is attracted more than 50,000 registered members and has become a central meeting point for malware developers, ransomware affiliates, exploit brokers, spammers, and network access sellers. The forum helped criminals advertise services, negotiate prices, and build long-term partnerships across the underground economy.
Investigators Disrupt Key Criminal Marketplace
According to Security Affairs, investigators also seized the forum’s associated Jabber server, thesecure.biz, which members regularly used for secure communications. The seizure disrupted another critical piece of infrastructure supporting cybercriminal operations.
Analysis of a leaked XSS.is database showed most activity originated from Russian-speaking users. Researchers found extensive Cyrillic content and numerous registrations from Commonwealth of Independent States (CIS) domains.
The busiest marketplace sections focused on malware, exploit kits, web application vulnerabilities, and stolen network access. Researchers also observed daily activity peaking during Moscow business hours, reinforcing the forum’s strong regional connections.
Authorities believe exposing forum records could produce lasting consequences for thousands of members. The leaked information reportedly includes usernames, email addresses, and IP addresses that investigators could use to build detailed profiles of suspected cybercriminals.
Despite the disruption, XSS.is has already resurfaced online. However, Security Affairs reported that many members now question whether the platform remains trustworthy after law enforcement infiltrated its operations.
Experts also warn that removing one forum will not eliminate cybercrime. Criminal groups frequently migrate to alternative platforms whenever authorities dismantle established marketplaces.
Europol has warned that criminal networks are increasingly recruiting minors through social media, gaming platforms, and the dark web, highlighting how these groups adapt to reach new members.
Russia Expands Influence Campaigns Beyond Ukraine
Google Threat Intelligence says Russian cyber influence campaigns have shifted beyond Ukraine and now increasingly target Europe and the United States. Researchers believe Moscow wants to weaken political stability and fracture Western alliances.
According to The Register, Russian operators increasingly focus on NATO and European Union members by spreading pro-Russian narratives through fake news websites, coordinated messaging campaigns, and online influence operations.
Google researchers explained that these campaigns often coincide with destructive cyberattacks. Threat actors frequently combine disinformation with data-wiping malware, espionage campaigns, and hack-and-leak operations to increase pressure while complicating attribution.
Researchers said the broader ecosystem includes government-backed propaganda teams, intelligence agencies, hacktivists, and proxy groups. Those overlapping relationships make individual campaigns harder to trace because operational boundaries often remain deliberately blurred.
Artificial Intelligence Becomes a Growing Force
Google Threat Intelligence also observed Russian cyber groups increasingly adopting artificial intelligence to accelerate offensive operations. Researchers identified tools such as ChatGPT and Gemini supporting several stages of cyber activity.
According to Google’s findings, threat actors use AI to speed malware development, build attack infrastructure, and create convincing phishing lures. Those capabilities reduce preparation time while allowing operators to launch campaigns more efficiently.
The takedown of XSS.is removes a significant criminal platform, but investigators believe cybercriminals will continue adapting through alternative communities and emerging technologies. Meanwhile, Russia’s expanding influence campaigns and growing AI adoption show the broader cyber threat landscape continues evolving despite successful law enforcement operations.