{"id":5942,"date":"2025-08-07T03:00:16","date_gmt":"2025-08-07T03:00:16","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/07\/who-got-arrested-in-the-raid-on-the-xss-crime-forum\/"},"modified":"2025-08-07T03:00:16","modified_gmt":"2025-08-07T03:00:16","slug":"who-got-arrested-in-the-raid-on-the-xss-crime-forum","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/07\/who-got-arrested-in-the-raid-on-the-xss-crime-forum\/","title":{"rendered":"Who Got Arrested in the Raid on the XSS Crime Forum?"},"content":{"rendered":"

Who Got Arrested in the Raid on the XSS Crime Forum?
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

On July 22, 2025, the European police agency Europol<\/strong> said<\/a> a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS,<\/b>\u00a0a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle \u201cToha<\/strong>.\u201d Here\u2019s a deep dive on what\u2019s knowable about Toha, and a short stab at who got nabbed.<\/p>\n

\n\"\"<\/p>\n

An unnamed 38-year-old man was arrested in Kiev last month on suspicion of administering the cybercrime forum XSS. Image: ssu.gov.ua.<\/p>\n<\/div>\n

Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party \u2014 arbitrating disputes between criminals \u2014 and guaranteeing the security of transactions on XSS. A statement<\/a> from Ukraine\u2019s SBU<\/strong> security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil<\/strong>, LockBit<\/strong>, Conti<\/strong>, and Qiliin<\/strong>.<\/p>\n

Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor<\/a>). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.<\/p>\n

The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha\u2019s accounts on other forums have been silent since the raid.<\/p>\n

Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha\u2019s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. <\/strong>That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in<\/strong><\/a>, which would go on to draw tens of thousands of members, including an eventual Who\u2019s-Who of wanted cybercriminals.<\/p>\n

Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.<\/p>\n

One of the oldest Russian-language cybercrime forums was DaMaGeLaB<\/strong>, which operated from 2004 to 2017, when its administrator \u201cAr3s\u201d was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is<\/a>, with Toha as its stated administrator.<\/p>\n

CROSS-SITE GRIFTING<\/h2>\n

Clues about Toha\u2019s early presence on the Internet \u2014 from ~2004 to 2010 \u2014 are available in the archives of Intel 471<\/strong>, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat<\/strong>, Carder[.]su<\/strong> and inattack[.]ru.<\/strong><\/p>\n

DomainTools.com<\/strong> finds Toha\u2019s email address \u2014 toschka2003@yandex.ru<\/strong> \u2014 was used to register at least a dozen domain names \u2014 most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com<\/strong>, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).<\/p>\n

\n\"\"<\/p>\n

A 2008 snapshot of a domain registered to toschka2003@yandex.ru and to Anton Medvedovsky in Kiev. Note the message at the bottom left, \u201cProtected by Exploit,in.\u201d Image: archive.org.<\/p>\n<\/div>\n

Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy<\/strong> in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev<\/strong> in Moscow.<\/p>\n

This Avdeev surname came up in a lengthy conversation with Lockbitsupp<\/a>, the leader of the rapacious and destructive ransomware affiliate group Lockbit<\/strong>. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha\u2019s real-life identity.<\/p>\n

\n\"\"<\/p>\n

In early 2024, the leader of the Lockbit ransomware group \u2014 Lockbitsupp \u2014 asked for help investigating the identity of the XSS administrator Toha, which he claimed was a Russian man named Anton Avdeev.<\/p>\n<\/div>\n

Lockbitsupp didn\u2019t share why he wanted Toha\u2019s details, but he maintained that Toha\u2019s real name was Anton Avdeev<\/strong>. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.<\/span><\/p>\n

It appears Lockbitsupp\u2019s query was based on a now-deleted Twitter post from 2022, when a user by the name \u201c3xp0rt<\/a>\u201d asserted that Toha was a Russian man named Anton Viktorovich Avdeev<\/strong>, born October 27, 1983.<\/p>\n

Searching the web for Toha\u2019s email address toschka2003@yandex.ru reveals a 2010 sales thread<\/a> on the forum bmwclub.ru<\/strong> where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.<\/strong><\/p>\n

\"\"<\/p>\n

A search on the phone number 9588693 in the breach tracking service Constella Intelligence<\/strong> finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.<\/p>\n

Astute readers may have noticed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.<\/p>\n

A FLY ON THE WALL<\/h2>\n

For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko<\/strong>, a former cybercriminal from Ukraine who now works at the security startup paranoidlab.com<\/strong>. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz<\/strong>, an encrypted \u201cJabber\u201d instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users\u2019 activity, and its administrator was always a trusted member of the community.<\/p>\n

The reason I know this historic tidbit is that in 2013, Vovnenko \u2014 using the hacker nicknames \u201cFly<\/strong>,\u201d and \u201cFlycracker<\/strong>\u201d \u2014 hatched a plan<\/a> to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.<\/p>\n

I happened to be lurking on Flycracker\u2019s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested<\/a> for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].<\/p>\n

Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.<\/p>\n

Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and\/or an XSS administrator who went by the nicknames N0klos<\/strong> and Sonic<\/strong>.<\/p>\n

\u201cWhen I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,\u201d Vovnenko said of the Jabber domain. \u201cNobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.\u201d<\/p>\n

N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws<\/strong>. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.<\/p>\n

Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that \u201cthe French cops took the wrong guy.\u201d<\/p>\n

WHO IS TOHA?<\/h2>\n

So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha\u2019s email address and the name and phone number of a Russian citizen was simply misdirection on Toha\u2019s part \u2014 intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha\u2019s domains.<\/p>\n

But sometimes the simplest answer is the correct one. \u201cToha\u201d is a common Slavic nickname for someone with the first name \u201cAnton,\u201d and that matches the name in the registration records for more than a dozen domains tied to Toha\u2019s toschka2003@yandex.ru email address: Anton Medvedovskiy.<\/p>\n

Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy<\/strong> living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua<\/strong>, as well an an Airbnb account<\/a> featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.<\/p>\n

My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university \u2014 a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy\u2019s birthday is Dec. 11, 1987.<\/p>\n

The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS\u2019s future spooling out across the forums.<\/p>\n

XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum\u2019s\u00a0 homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS \u201cadmin\u201d said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.<\/p>\n

However, the new admin\u2019s assurances appear to have done little to assuage the worst fears of the forum\u2019s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.<\/p>\n

Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.<\/p>\n

\u201cThe myth of the \u2018trusted person\u2019 is shattered,\u201d the user \u201cGordonBellford\u201d cautioned on Aug. 3 in an Exploit forum thread about the XSS admin arrest. \u201cThe forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.\u201d<\/p>\n

GordonBellford continued:<\/p>\n

\n

And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:<\/p>\n

Graphs of your contacts and activity.
\nRelationships between nicknames, emails, password hashes and Jabber ID.
\nTimestamps, IP addresses and digital fingerprints.
\nYour unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.<\/p>\n

They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.<\/p>\n<\/blockquote>\n<\/div>\n

\t

\n
<\/BR>
\n BrianKrebs
\n \t

\n
<\/BR>
\nGo to krebsonsecurity<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Who Got Arrested in the Raid on the XSS Crime Forum? On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS,\u00a0a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1647,1648,1649,368,709,259,1650,1340,1651,1652,1653,1654,320,55,1260,1655,1656,190,1657,1658,231,1659,1660,1661,1662,207,1663,1664,1665],"tags":[72],"class_list":["post-5942","post","type-post","status-publish","format-standard","hentry","category-1647","category-anton-gannadievich-medvedovskiy","category-anton-viktorovich-avdeev","category-breadcrumbs","category-constella-intelligence","category-conti","category-damagelab","category-domaintools-com","category-europol","category-exploit-in","category-flycracker","category-hack-all","category-intel-471","category-krebsonsecurity","category-lockbit","category-lockbitsupp","category-n0klos","category-neer-do-well-news","category-paranoidlab-com","category-qiliin","category-ransomware","category-revil","category-sbu","category-sergeii-vovnenko","category-sonic","category-the-coming-storm","category-toha","category-toschka2003yandex-ru","category-xss-is","tag-krebsonsecurity"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5942"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5942"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5942\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5942"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}