Student
Professional
- Messages
- 1,682
- Reaction score
- 1,559
- Points
- 113
Cybercriminal forums are often used for selling and distributing malware, distributing and selling leaks, access to companies, online stores, and more. It's common to hear that forums are dying, with no previous activity due to the rapid advancement of AI. While most issues were previously resolved through forums or specialized platforms like Stack Overflow, now Claude[.]ai or ChatGPT resolve most issues in the underground community, if you ask the right questions. And groups (APTs) are already training their models locally; the word "censorship" doesn't exist for them. However, forums are still a thing of the past; all commercial activity still takes place there. One platform closes, and two others take its place.
This material is intended for companies, government agencies, and information security specialists who monitor the current state of the cybercriminal underground. Understanding how darknet forums are structured helps build proactive defenses and promptly detect threats.
The most recent news story was the arrest of the xss.is administrator. According to Europol, the Ukrainian citizen operated a platform that served as a hub for Russian-speaking cybercriminals.
xss.is (old domain), xss.ac (now)
Europol and its partners arrested an administrator in Kyiv, who apparently only had access to the Xenforo admin panel, user deposits, and the FBI. The entire infrastructure was apparently maintained by other people, who were inaccessible to Europol/FBI due to their location. It's possible the administrator knew in advance that he would be targeted due to the tense geopolitical situation.
Key figure behind-major Russian speaking cybercrime-forum targeted in Ukraine
Results:
1. Intelligence agencies seized hackers' deposits of 45 BTC and 1,348 LTC.
2. Thesecure[.]biz forum jabber was seized by intelligence agencies.
3. A new administration came to power, domain change, and partial compensation of deposits from forum income.
4. All old moderators were blocked.
5. The emergence of new forums: DamageLIB and DutyFree.
As experience shows, cybercrime cannot be stopped. The attackers simply changed their location, moved to other boards, or continued their activities on the new xss under a different nickname.
Essentially, there is no longer a center of evil. The target audience has divided into several forums. Criminals involved in carding have moved to the Styx platform.
The new darknet market Styx is gaining momentum
A Duty-Free forum has also appeared on the market, appearing on flare.io's list of forums to monitor. Analyst1 also noted that this platform is home to "Qilin" attackers who encrypt files and request money transfers to their controlled servers.
Forum homepage
Forum chat
Article competition
DutyFree is receiving suspiciously large amounts of investment; it will be interesting to see how the administrator plans to recoup their investment.
DamageLIB was developed by former xss.is moderators. Commercial activity is prohibited on the forum, and the platform is only accessible through onion.
Thus, cybercriminal platforms continue to exist even after the administrators are arrested, as such projects are not created alone. Experience shows that the FBI/Europol are powerless against such platforms, as the entire infrastructure is located outside their jurisdiction. In 2026, underground forum administrators increasingly abandoned Cloudflare's forum protection solutions in favor of the Russian DDoS-Guard, further exacerbating the situation for the major from overseas.
The next part will examine these platforms in more detail.
(c) https://habr.com/ru/news/1012956/
This material is intended for companies, government agencies, and information security specialists who monitor the current state of the cybercriminal underground. Understanding how darknet forums are structured helps build proactive defenses and promptly detect threats.
The most recent news story was the arrest of the xss.is administrator. According to Europol, the Ukrainian citizen operated a platform that served as a hub for Russian-speaking cybercriminals.
xss.is (old domain), xss.ac (now)
Europol and its partners arrested an administrator in Kyiv, who apparently only had access to the Xenforo admin panel, user deposits, and the FBI. The entire infrastructure was apparently maintained by other people, who were inaccessible to Europol/FBI due to their location. It's possible the administrator knew in advance that he would be targeted due to the tense geopolitical situation.
Key figure behind-major Russian speaking cybercrime-forum targeted in Ukraine
Results:
1. Intelligence agencies seized hackers' deposits of 45 BTC and 1,348 LTC.
2. Thesecure[.]biz forum jabber was seized by intelligence agencies.
3. A new administration came to power, domain change, and partial compensation of deposits from forum income.
4. All old moderators were blocked.
5. The emergence of new forums: DamageLIB and DutyFree.
As experience shows, cybercrime cannot be stopped. The attackers simply changed their location, moved to other boards, or continued their activities on the new xss under a different nickname.
Essentially, there is no longer a center of evil. The target audience has divided into several forums. Criminals involved in carding have moved to the Styx platform.
The new darknet market Styx is gaining momentum
A Duty-Free forum has also appeared on the market, appearing on flare.io's list of forums to monitor. Analyst1 also noted that this platform is home to "Qilin" attackers who encrypt files and request money transfers to their controlled servers.
Forum homepage
Forum chat
Article competition
DutyFree is receiving suspiciously large amounts of investment; it will be interesting to see how the administrator plans to recoup their investment.
DamageLIB was developed by former xss.is moderators. Commercial activity is prohibited on the forum, and the platform is only accessible through onion.
Thus, cybercriminal platforms continue to exist even after the administrators are arrested, as such projects are not created alone. Experience shows that the FBI/Europol are powerless against such platforms, as the entire infrastructure is located outside their jurisdiction. In 2026, underground forum administrators increasingly abandoned Cloudflare's forum protection solutions in favor of the Russian DDoS-Guard, further exacerbating the situation for the major from overseas.
The next part will examine these platforms in more detail.
(c) https://habr.com/ru/news/1012956/
