On July 22, 2025, European Police Agency Europeol Said A 38 -year -old administrator was arrested as a result of a long -running investigation led by French Police. XSS, A Russian-Language Cybercrime Forum with over 50,000 members. The action has triggered a frenzy of speculation and nervousness between the XSS, which is a denisement about the identity of an anonymous suspect, but the consensus is that he is an important person in the scene of the crime forum who goes from the hacker handle “to ha“Here is a deep dive what you know about Toha, and a small stab that became the pulse.
A 38 -year -old 38 -year -old man was arrested in Kiev last month on suspicion of administering the Cybercrime Forum XSS. Picture: ssu.gov.ua.
Europeol did not name the accused, but published partially unclear photos from the raid at his residence in Kiev. The police agency said that the suspect worked as a reliable third party – the disputes between criminals mediation – and guaranteeing the safety of transactions on XSS. A statement from Ukraine SBU The security service said that XSS counted several cyber criminals from various ransomware groups among its members, including Revil, Lockbit, ContAnd Culin,
Since the announcement of Europeol, the XSS Forum has revived on a new address on Deep web (accessible only through the oblivion network TowBut by reviewing recent posts, there is a very little consensus among members for a long time about the identity of the now-oriented XSS administrator.
The most frequent comment about arrest was the message of solidarity and support for toha, the long -term administrator of the XSS and the handle selected by many other major Russian forums. Toha’s accounts on other forums have been silent since raids.
Europeol said that the suspect has enjoyed a career of about 20 years in cybercrime, which almost lines with the history of Toha. In 2005, Toha was the founding member of the Russian-speaking forum Hack-All. That is, until it was hacked on a large scale after a few months of its start. In 2006, Toha rebuilt the stage In exploitation (.)Which will proceed to attract thousands, including a final of a final cyber criminal.
Toha announced in 2018 that he was selling the explight forum, by speculating largely on the forums that the buyer was secretly a Russian or Ukrainian government unit or front person. However, those doubts were unable to evidence, and Toha strictly denied that the stage was given to the authorities.
The oldest Russian-language cybercrime was one of the forums DamaglabWhich was operated from 2004 to 2017, when its administrator “AR3S” was arrested. In 2018, there was a partial backup of the Damagelab Forum There is rebirth in the form of XSS (.)With toha as his declared administrator.
Cross-site grifting
Clues about Toha’s initial appearance on the Internet – ~ 2004 to 2010 – are available in the archives of 2010 Intel 471A cyber intelligence firm that tracks the forum activity. Intel 471 shows that Toha used the same email address in many forum accounts, including exploitation, Antigate, Carder (.) Su And Inattack (.) RU.
Domantools.com Toha finds the email detection – toschka2003@yandex.ru – At least a dozen domain names were used to register- most of them from mid-2000s to the end of the 2000s. In addition to exploitation (.) Is called a domain ixyq (.) comOther domains are registered at that email address.
Toschka2003@yandex.ru, a domain registered on 2008 Snapshot and Anton Medvedowski in Kyiv. Note the message below, “Protected by exploitation, in.” Picture: Archive.org.
Toschka2003@yandex.ru is named in almost all domains registered Anton Medvedowski In registration records, except the aforesaid ixyq (.) COM, which is registered in the name Yuri Avdiv In Moscow.
This AVDEEV nickname came into a long conversation with Lockbitsupp, which is the leader of the Rapius and the destructive ransomware affiliated group LockbitThe conversation took place in February 2024, when Lockbitsup sought help in the identity of Toha’s real -life identification.
In early 2024, the Lockbit Rainmine Group – Leader of Lockbitsup – asked XSS Administrator Toha to help check the identity, claiming that he claimed that Anton was a Russian man named Anton Aviviv.
Lockbitsup did not share why he wanted Toha’s details, but he said that Toha had real name Anton AvdivWhatever revenge I had taken on Toha, refused to help lockbitsup, but his question made me eager to look deeply.
It seems that the Lockbitsupp’s Query was based on a now-up Twitter post from the Quare 2022, when a user name was “a user named”.3xp0rt“It was said that Taha was a Russian man named Anton Victorovich AvdivBorn on 27 October 1983.
Web Search for Toha’s email address Toschka2003@yandex.ru reveals 2010 sales thread On the stage bmwclub.ru Where a user named Honeypo was selling 2007 BMW X5. Advertisement listed the contact person as Anton Avdiv and gave the contact phone number 9588693.
A search on phone number 9588693 in Breach Tracking Service Constale Intelligence This number, date of birth and name finds a lot of records of the official Russian government with Anton Victorovich Avdiva. For example, the recorded Russian government’s records suggest that this person has a Russian tax ID and sin (social security number), and that they were flagged off by Moscow Police on several occasions for traffic violations; In 2004, 2006, 2009 and 2014.
Estute readers must have seen that the month (38) arrested this month (38) is a little away from Mr. Awedive (41) and XSS administrator. It suggests that the arrested person is someone else but Mr. Awardev, who did not respond to the requests for the comment.
A fly on the wall
For further insight on this question, Krebsonsecurity sought comments Sergei wovanankoUkraine’s former cyber criminal that now works in safety startups Paranoidlab.comI approached Vornanko as he was the owner and operator for many years around 2010 Thecure (.) BizAn encrypted “Jabber” instant messaging server which Europeol said that was operated by the suspect arrested in Kiev. Thecure (.) Biz became quite popular among the top Russian -speaking cyber criminals as it maintained some records of its users’ activity, and its administrator was always a reliable member of the community.
I know that the reason for this historical tidbit is that in 2013, Vovnenko – using hacker surnames “fly,” And “Flycractor” – A gram of heroin purchased from Silk Road Darknet Market and was sent to our house in northern Virginia. The scheme was to spoil a call for the local police from one of our neighbors, saying that the man was a drug on the road, who was reaching his house.
I was lean on the flycracker’s private cybercrime forum, when his heroin-frameing plan was carried out, and the police were called themselves before the Smack. Vovenanko was later arrested for unrelated cyber crime activities, was extradited in the United States, convicted, and was deported after 16 months of migration in the US jail system (on many occasions, he has expressed his heartfelt apology for the incident, and we have since buried hatchkets).
Vovenano said that he bought a device for credit card cloning from Toha in 2009, and that Toha sent the item from Russia. Vovenanko reported that he (flycracker) was the owner and operator of Thesecure (.) Biz from 2010 to 2014.
Vovnenko believes that thesecure (.) The bus was stolen, when he was in jail, either toha and/or by a XSS administrator who went by nicknames N0klos And Sound,
“When I was in jail, (the) the administrator of Xss.is stole the domain, or perhaps N0klos bought toha or vice versa,” Vovnenko said about the Jabber Domain. “None of (forums) talked to me during my jail, so I can only guess what was really happened.”
N0klos was the owner and administrator of an early Russian-language Cybercrime Forum Darklife (.) WSHowever, N0KL0s also appears to be a lifelong Russian resident, and in any case the Russian has disappeared from Cybercrime forums several years ago.
Asked if he believes that Toha was the XSS administrator, who was arrested in Ukraine this month, Vovenanko said that Toha is Russian, and “the wrong man was taken by the French police.”
Who is toha?
So who arrested the Ukrainian police in response to the investigation by French officials? It seems to be commendable that BMW Advertisement invited Toha’s email address and a Russian citizen’s name and phone number was a misunderstanding on toha’s part – aimed at confusing and throwing the investigators. Perhaps it also explains the AvDeev surname Surname in the registration records from a domain of toha.
But sometimes the simplest answer is correct. “Toha” is a general Slavic surname for someone with the first name “Anton”, and it matches the name in the registration record for more than a dozen domains, which is tied to Toschka2003@yandex.ru email address of Toha: Anton Medvedovski.
Constale finds intelligence that there is one Anton Ganadivich Medvedowski Living in Kiev will be 38 years old in December. This person owns email address itsmail@i.uaAlso a An airbnb account The blurred photographs released by the Ukrainian police features a profile photo of a man with almost the same hairline as suspects. Mr. Medvedowski did not respond to the request of the comment.
I have to take on Tekdown that Ukrainian authorities probably arrested Medvedovski. Toha shared on Damagalab in 2005 that he had recently terminated 11th grade and was studying in a university – a time when Mevedovski was around 18 years old. On December 11, 2006, members of fellow exploitation wished Toha a birthday. Records in 2022 hacks at Ukrainian Public Services Portal Diia.gov.UA states that Mr. Medvedowski’s birthday is on 11 December 1987.
Confusion about law enforcement action and as a result of detention identification has thrown the scene of the Russian Cybercrime Forum in recent weeks, which is out on stage with long and warm arguments about the future spooling of the XSS.
The XSS plaster its seizure notice on the forum’s homepage shortly before at a new TOR address, but all the trusted intermediaries of the old platform were rejected without clarification. The current members dropped their forum account balance to zero, and were asked to demolish a deposit to register in the new forum. The new XSS “administrator” said that they were in touch with previous owners and the changes were to help in reconstruction of security and trust within the community.
However, the assurance of the new administrator has greatly reduced to accept the worst apprehensions of the previous members of the forum, most of which are now keeping their distance from the Released Site for now.
Indeed, if there is a general understanding among all these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have many years of private messages between the XSS Forum users, as well as contact with roster and other user data which is associated with the seized jabber server.
The myth of ‘Trusted Person’ is shattered, “User” Gordonbelford “warned August 3 in an exploitation forum thread, which spreads dozens of pages. “Forum is run by strangers. They got everything. Two -year -old Jabber Server Log. Full backup and forum database.”
Gordonbellford continued:
And the most scary thing is: This data array is not just a collection. This is the material for analysis that has already been done. With the help of modern equipment, they see everything:
Closure of your contacts and activity.
Relationship between surname, email, password hash and Jabber ID.
Timstamp, IP address and digital fingerprint.
Your unique writing style, phrase science, punctuation, stability of grammatical errors, and even specific typo which will add your accounts to different platforms.They are not looking for a needle in a histor. They just dropped the grasslands through AI sieve and got the prepared dosier.
