The Dark Web reacts to the takedown of XSS

XSS is considered one of the top Russian speaking forums on the dark web, acting as a hub for the sale of stolen data, exploit and zero days, and malware and ransomware services. Earlier this month, the open web domain of the site was seized after years of investigation, as authorities arrested the suspected administrator of the forum in Ukraine.

Since the takedown, the open web domain of XSS displays a “this domain has been seized” message.

Despite this, the operation did not seem to completely take down the site’s infrastructure, as the original .onion (Tor) domain is still active.

This allowed the remaining administrators and other users on the forum to react and express their concerns regarding the situation.

Initial user reaction

After the initial reports of the arrest on July 22nd, and with no clear message from the forum itself, user panic was inevitable. The lack of clear information regarding the situation induced serious concerns among users, as their information could be lost or worse, it could be used to go after them legally.

For the first few days, users were observed discussing the parsing and collecting of important files, threads and information from the forum, in case the full infrastructure is taken down.

A translated post by an XSS user discussing his concerns and collecting threads

But over all the panic, one feeling was very clear – the users wanted someone to take responsibility and tell them what the fate of the forum is. With many still having valuable deposits and files on the forum, as well as illicit communications with other actors that could be easily turned to criminal evidence, the feeling of uncertainty and dissatisfaction were greatly felt throughout the forum.

A translated post by a user on XSS calling for the moderators to speak up about the situation

A few hours into the discourse, a user by the name of ‘admin’ went online. What was supposed to be a good sign to the disturbed user base was met with speculation and aggression from the same users who only sought information from the forum staff.

A string of translated posts from XSS, showing users’ suspicion of the admin

It is also important to note that many users claimed to have opened threads about the admin being arrested, which were later taken down. This was regarded by the community as highly suspicious behavior.

Admin’s response and forum recovery

The first official message from someone who is identified as one of the forum’s admins came on July 24th, two days after the arrest of the suspected admin. ‘Admin’ commented on one of the threads, promising to better understand the situation and return with more information.

The translated first post by the alleged admin of XSS after the arrest.

A few hours later, ‘admin’ started publishing several threads attempting to clear up the situation. These updates included disconnection from the previous admin and some of the staff, confirmation that the infrastructure was only mildly exposed, and most importantly, the loss of the two well known domains and the transfer to a new .onion one. ‘Admin’ promised to perform technical work to ensure that all forum functions will be back to normal.

The translated first official statement made by ‘admin’ after the arrest.

This was received with mixed feelings. While many were happy to finally see some clarity, many were still dissatisfied. Whether it was the vague and general statements or the distrust in ‘admin’ himself, many users remained voicing their concerns and tried to persuade others not to access the forum until promised technical updates were made.

A translated message on XSS by a still concerned user

What is the future of the forum?

As with all things in the dark web – it is almost impossible to tell. However, using Lunar, our dark web monitoring platform, we can clearly see the change in the activity on the forum.
While the number of posts on the forum did significantly drop, discussions did not come to a complete halt. Even though the dominant threads seem to discuss the restoration of the forum, threads detailing malware development and stolen credentials are back in the general discussion.

A graph from Lunar, our dark web monitoring platform, showing the distribution of posts on XSS in the past month. Marked is the date of the arrest.

However, migration to other forums is plausible as well. We already saw admins of forums such as RAMP claiming to have an increase in numbers of users signing up to their website.