clubic.com - L'administrateur russophone d'un des plus influents forums cybercriminels mondiaux, XSS.is, vient d'être arrêté. L'opération est le fruit d'une enquête franco-ukrainienne de longue haleine.
Les autorités ukrainiennes ont interpellé à Kiev, mardi 22 juillet, le cerveau présumé de XSS.is, une plateforme défavorablement réputée, puisque lieu incontournable de la cybercriminalité russophone. L'arrestation couronne une investigation française lancée il y a quatre ans maintenant, et qui révèle aujourd'hui l'ampleur considérable des gains amassés par l'administrateur du forum, estimés à sept millions d'euros.
XSS.is cachait 50 000 cybercriminels derrière ses serveurs chiffrés
Actif depuis 2013 tout de même, XSS.is, autrefois connu sous le nom de DaMaGeLab, constituait l'un des principaux carrefours de la cybercriminalité mondiale. La plateforme russophone rassemblait plus de 50 000 utilisateurs enregistrés, autrement dit un vrai supermarché du piratage informatique, même si beaucoup moins fréquenté que feu BreachForums, tombé en avril. Sur XSS.is, les malwares, les données personnelles et des accès à des systèmes compromis se négociaient dans l'ombre du dark web.
Le forum proposait aussi des services liés aux ransomwares, ces programmes malveillants qui bloquent les données d'un ordinateur jusqu'au paiement d'une rançon. Un serveur de messagerie chiffrée, « thesecure.biz », complétait l'arsenal en facilitant les échanges anonymes entre cybercriminels. L'infrastructure offrait ainsi un environnement sécurisé pour leurs activités illégales.
L'administrateur ne se contentait pas d'un rôle technique passif. Tel un chef d'orchestre du crime numérique, il arbitrait les disputes entre hackers et garantissait la sécurité des transactions frauduleuses. Un homme aux multiples casquettes, en somme. Toujours est-il que cette position centrale lui permettait de prélever des commissions substantielles sur chaque échange.
Une coopération internationale exemplaire, portée par la France
L'enquête préliminaire française, ouverte le 2 juillet 2021 par la section cybercriminalité du parquet de Paris, a mobilisé la Brigade de lutte contre la cybercriminalité. Les investigations ont révélé des bénéfices criminels d'au moins 7 millions d'euros, dévoilés grâce aux captations judiciaires effectuées sur les serveurs de messagerie.
Outre la France et les autorités ukrainiennes, Europol a joué un rôle déterminant dans cette opération d'envergure internationale. L'agence européenne a facilité la coordination complexe entre les autorités françaises et ukrainiennes, déployant même un bureau mobile à Kiev pour faciliter l'arrestation.
Voilà en tout cas une arrestation de plus contre les réseaux cybercriminels. Souvenez-vous, il y a quelques jours, les mêmes agences avaient déjà démantelé le groupe de hackers prorusses NoName057(16). Des succès successifs qui témoignent d'une intensification bienvenue dans la lutte contre les menaces et les hackers, alors que les cyberattaques se multiplient contre les infrastructures critiques européennes.
This joint operation targeted the sophisticated ecosystem that allowed Europol’s European Cybercrime Centre has worked with Microsoft to disrupt Lumma Stealer (“Lumma”), the world’s most significant infostealer threat.
This joint operation targeted the sophisticated ecosystem that allowed criminals to exploit stolen information on a massive scale. Europol coordinated with law enforcement in Europe to ensure action was taken, leveraging intelligence provided by Microsoft.
Between 16 March and 16 May 2025, Microsoft identified over 394 000 Windows computers globally infected by the Lumma malware. In a coordinated follow-up operation this week, Microsoft’s Digital Crimes Unit (DCU), Europol, and international partners have disrupted Lumma’s technical infrastructure, cutting off communications between the malicious tool and victims. In addition, over 1 300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes.
The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said: “This operation is a clear example of how public-private partnerships are transforming the fight against cybercrime. By combining Europol’s coordination capabilities with Microsoft’s technical insights, a vast criminal infrastructure has been disrupted. Cybercriminals thrive on fragmentation – but together, we are stronger.”
In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide. The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10.
The now defunct platforms – Cfxapi, Cfxsecurity, neostress, jetstress, quickdown and zapcut – are thought to have facilitated widespread attacks on schools, government services, businesses, and gaming platforms between 2022 and 2025.
The platforms offered slick interfaces that required no technical skills. Users simply entered a target IP address, selected the type and duration of attack, and paid the fee — automating attacks that could overwhelm even well-defended websites.
Global law enforcement response
The arrests in Poland were part of a coordinated international action involving law enforcement authorities in 4 countries, with Europol providing analytical and operational support throughout the investigation.
Dutch authorities have deployed fake booter sites designed to warn users seeking out DDoS-for-hire services, reinforcing the message that those who use these tools are being watched and could face prosecution. Data from booter websites, seized by Dutch law enforcement in data centres in the Netherlands, was shared with international partners, including Poland, contributing to the arrest of the four administrators.
The United States seized 9 domains associated with booter services during the coordinated week of action, continuing its broader campaign against commercialised DDoS platforms.
Germany supported the Polish-led investigation by helping identify one of the suspects and sharing critical intelligence on others.
Polish authorities have detained four suspects linked to six DDoS-for-hire platforms, believed to have facilitated thousands of attacks targeting schools, government services, businesses, and gaming platforms worldwide since 2022.
Such platforms are often marketed as legitimate testing tools on the dark web and hacking forums, but are mainly used to disrupt online services, servers, and websites by flooding them with traffic in distributed denial-of-service (DDoS) attacks and causing outages for real users.
The six DDoS services, named Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, have been taken down in a coordinated law enforcement action involving authorities from Germany, the Netherlands, Poland, and the United States.
"In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide," Europol said on Wednesday.
"The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10."
Europol has launched a new Operational Taskforce (OTF) to tackle the rising trend of violence-as-a-service and the recruitment of young perpetrators into serious and organised crime. Known as OTF GRIMM, the Taskforce, led by Sweden, brings together law enforcement authorities from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway, with Europol providing operational support, threat analysis and coordination.
The exploitation of young perpetrators to carry out criminal acts has emerged as a fast-evolving tactic used by organised crime. This trend was underlined in the European Union Serious and Organised Crime Threat Assessment 2025 (EU-SOCTA), which identified the deliberate use of youngsters as a way to avoid detection and prosecution.
Violence-as-a-service refers to the outsourcing of violent acts to criminal service providers — often involving the use of young perpetrators to carry out threats, assaults, or killings for a fee.
Investigations show that these acts are often orchestrated remotely, with young people recruited and instructed online. There is a clear demand from the criminal underworld for youngsters willing to carry out violent tasks — and a supply of vulnerable young people being groomed or coerced into doing so.
Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects. This includes the arrest of 4 individuals in the United Kingdom linked to the running of the site, including the original developer of the service.The LabHost platform, previously available on the open web, has been...
In follow-up activity for Operation Endgame, law enforcement tracked down Smokeloader botnet's customers and detained at least five individuals.
Kidflix, one of the largest paedophile platforms in the world, has been shut down in an international operation against child sexual exploitation. The investigation was supported by Europol and led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB). Over 35 countries worldwide participated in the operation. almost 1 400 suspects worldwide. So far, 79 of these individuals have been arrested...
This follows a series of high-impact arrests targeting Phobos ransomware:An administrator of Phobos was arrested in South Korea in June 2024 and extradited to the United States in November of the same year. He is now facing prosecution for orchestrating ransomware attacks that encrypted critical infrastructure, business systems, and personal data for ransom.A key Phobos affiliate was arrested in Italy...
Hacker forums Cracked[.]io, Nulled[.]to, MySellIX[.]io, and StarkRDP[.]io on Wednesday are seized by the FBI, Europol, and international law enforcement as part of ‘Operation Talent.’
A large ‘‘Operation Talent’ seizure poster was splashed across most of the shady websites by Wednesday afternoon.
The investigation began in the autumn of 2022, following reports of fraudulent phone calls in which scammers impersonated bank employees to extract sensitive information, such as addresses and security answers, from victims. The stolen data was traced back to a specialised online marketplace that operated as a central hub for the trade of illegally obtained information.A central hub for cyber...
An international law enforcement operation codenamed 'Operation Passionflower' has shut down MATRIX, an encrypted messaging platform used by cybercriminals to coordinate illegal activities while evading police.
In the takedown announced on Wednesday, Europol said it investigated 102 suspects and arrested 11 of them on accusations they were distributing content from streaming services illegally.
These are some of the results of the third phase of Operation Cronos, a long-running collective effort of law enforcement authorities from 12 countries, Europol and Eurojust, who joined forces to effectively disrupt at all levels the criminal operations of the LockBit ransomware group. These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months.
Between 2021 and 2023, LockBit was the most widely employed ransomware variant globally with a notable number of victims claimed on its data leak site. Lockbit operated on the ransom as a service model. The core group sold access to affiliates and received portions of the collected ransom payments. Entities deploying LockBit ransomware attacks had targeted organisations of various sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing and transportation. Reflecting the considerable number of independent affiliates involved, LockBit ransomware attacks display significant variation in observed tactics, techniques and procedures.
#2024 #EN #Eurojust #LockBit #busted #disrupt #europol
Investigators reported 483 000 victims worldwide, who had attempted to regain access to their phones and been phished in the process. The victims are mainly Spanish-speaking nationals from European, North American and South American countries.The successful operation took place thanks to international cooperation between law enforcement and judiciary authorities from Spain, Argentina, Chile, Colombia, Ecuador and Peru.The action week took...
Australian police say they have infiltrated Ghost, an encrypted global communications app developed for criminals, leading to dozens of arrests.
Europol and law enforcement from nine countries successfully dismantled an encrypted communications platform called
Abuse by cybercriminals Cobalt Strike is a popular commercial tool provided by the cybersecurity software company Fortra. It is designed to help legitimate IT security experts perform attack simulations that identify weaknesses in security operations and incident responses. In the wrong hands, however, unlicensed copies of Cobalt Strike can provide a malicious actor with a wide range of attack capabilities.Fortra...
Abuse by cybercriminals Cobalt Strike is a popular commercial tool provided by the cybersecurity software company Fortra. It is designed to help legitimate IT security experts perform attack simulations that identify weaknesses in security operations and incident responses. In the wrong hands, however, unlicensed copies of Cobalt Strike can provide a malicious actor with a wide range of attack capabilities.Fortra...
The servers supported multiple media outlets linked to Islamic State. They were used to disseminate worldwide propaganda and messages capable of inciting terrorism in at least thirty languages. Eurojust and Europol coordinated and supported the joint operations.This week’s joint operations are part of ongoing efforts and constant vigilance to tackle online terrorist propaganda and communications, including through social media. They...
