Data Breach Threats

XSS: The Top Russian Dark Web Forum

XSS: The Top Russian Dark Web Forum

Brief Bio: XSS

  • Launch date: 2013, relaunched in September 2018
  • Main language: Russian
  • Registered member count: 50K
  • Total number of posts: 470K 
  • Main topics: Malware, exploits, vulnerabilities, carding, and credential databases

How did XSS start?

XSS forum, which stands for “Cross-Site Scripting” (a type of security vulnerability), was initially established as DaMaGeLaB back in 2013. After the arrest of one of its administrators in 2017, the website underwent a rebranding process and re-emerged as XSS in September 2018.

This hacking forum, which is Russian-based, is run by a Russian admin, and its primary user base is Russian-speakers. Like other hacking forums, XSS also hosts lively discussions about world events, only here we find more debates relating to the Russian cyber world. It includes conversations about Russian cybercriminals, cyberattacks against Russia, or steps Russia takes against Russian threat actors and Russian forums. The forum also mostly (but not always) supports Russia’s political positions, which became very evident at the beginning of the fighting between Russia and Ukraine.

Today, XSS is considered to be one of the most prominent and professional hacking forums within the Russian-speaking communities on the dark web.

The top illicit activities and content on XSS

XSS is well-established within the cybercriminal community and is known for hosting discussions on illicit topics.

Let’s cover the top types of content we can find on it:

APT and ransomware groups on XSS

XSS is used by APT groups, including ransomware groups, to stay informed about the latest tools, techniques, and vulnerabilities that are being discussed in the wider hacking community. In addition, these groups also do PR on XSS. Their members comment on threads that discuss their activities and publicize their activities to build their reputation.

Some of the APT groups that either used or are still using the XSS forum are Lockbit, REvil, Avoslocker, EternityTeam, Babuk, Darkside, etc. 

Take for example the image below, which shows a comment on a random post on XSS talking about a cyber attack Lockbit launched against Entrust. In this post, the group’s team implied that Entrust counter-attacked their website with a DDoS attack. In reaction, they also mentioned that they are taking all necessary measures to maintain normal operations and keep their website active.

Lockbit announces the protective measures they're taking against DDoS attacks by Entrust in a post on XSS
Lockbit announces the protective measures they’re taking against DDoS attacks by Entrust in a post on XSS

XSS as a trading platform for illicit digital goods

XSS is also used as a trading platform for illicit digital goods related to hacking and financial fraud. Many of its registered users engage in direct transactions of various items such as leaked databases, custom malware, hacking tools, vulnerabilities, and zero days that were discovered by hackers.

The following example includes a screenshot of a known author offering the malware he’d developed on a loan for different periods of time – such as a day, a week, or a month:

Example of a known XSS member RaccoonStealer who is offering Infostealer malware on the forum
Example of a known XSS member RaccoonStealer who is offering Infostealer malware on the forum

The malware he developed is called Raccoon Stealer, which is an information-stealing malware that cybercriminals typically use to unlawfully obtain sensitive data stored on the user’s browser.

XXS as an advertisement platform

a sense of trust and credibility. 

The example below includes an ad posted by BidenCash’s admin, a marketplace for stolen credit cards:

BidenCash’s admin advertises his marketplace on XSS
BidenCash’s admin advertises his marketplace on XSS

How to access XSS?

XSS can be accessed in encrypted and mainstream browsers. However, an account must be created and approved by an XSS admin in order to view and post content. The forum has restricted sections and threads that can only be accessed through paid membership for a premium account. Each user receives a user rank with a reaction score based on their contribution to the forum.

Depending on the user’s plan, they will be required to attain a specific level of activity or spend a minimum amount of time in the forum in order to view the complete content of a post. The following image includes a post that can only be accessed by users with a minimum of 20 reactions.

An example of an XSS post that can only be accessed by users with a minimum of 20 reactions
An example of an XSS post that can only be accessed by users with a minimum of 20 reactions

The next example includes a post that is restricted to users who have been members of the forum for at least 100 days:

An example of an XSS post that requires a user to spend a minimum of 100 days on the forum in order to access its content
An example of an XSS post that requires a user to spend a minimum of 100 days on the forum in order to access its content

What’s next?

The increasing relevance of these forums in recent years is a direct result of the growing number of cyber incidents. XSS, like many other hacker forums, has become a critical source of information for monitoring and investigating a variety of cyber threats, including data breaches, ransomware attacks, DDoS attacks, phishing, and other emerging digital risks.

For this reason, many threat intelligence companies track these dark web sources, with the use of dark web data providers like Webz.io, to detect potential threats and identify malware and vulnerabilities that can be exploited by malicious actors against organizations and enterprises.

Sofia Prisiallni
Sofia Prisiallni

Cyber Analyst

Spread the News

Not subscribed to our Dark Web Pulse updates?

By submitting you agree to Webz.io's Privacy Policy and further marketing communications.

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED

Don't be the last one to know!

Chances are your compromised data is already traded on the dark web.
Ready to discover them and protect your business?

Subscribe to our newsletter for more news and updates!

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
Create your API account and get instant access to millions of web sources