The IOCTA 2026 report released by Europol offers a detailed look at how cybercrime is evolving across Europe, with criminals increasingly using artificial intelligence, encryption, and cryptocurrencies to scale their operations. The latest edition of the Internet Organised Crime Threat Assessment outlines key trends shaping the threat landscape and calls for stronger coordination among law enforcement agencies. According to the IOCTA 2026 report, cybercrime is becoming more complex and interconnected, driven by rapid technological advancements. The findings highlight how criminals are adapting quickly, making it harder for authorities to detect, track, and disrupt their activities.

IOCTA 2026 Report Maps Evolving Cyber Threat Landscape

The IOCTA 2026 report serves as a roadmap for understanding emerging cyber threats, covering areas such as online fraud, ransomware attacks, and child exploitation networks. Edvardas Šileris, Head of the European Cybercrime Centre at Europol, emphasized that the report is intended to help law enforcement agencies respond effectively to these evolving risks. He noted that as cybercriminals continue to exploit new technologies, strengthening capabilities and improving collaboration will be essential to protect citizens and critical infrastructure.

Dark Web Fragmentation and Cryptocurrencies Fuel Crime

A key finding in the IOCTA 2026 report is the continued role of the dark web as a central hub for cybercriminal activity. Despite ongoing crackdowns, marketplaces and forums remain active, with criminals frequently shifting platforms to avoid detection. The report highlights how fragmentation and specialization across these platforms make investigations more difficult. Encrypted messaging services and anonymized networks are increasingly connecting surface and dark web environments, reducing the visibility of criminal operations. Cryptocurrencies also play a significant role, according to the IOCTA 2026 report. Privacy-focused coins and offshore exchanges are widely used to launder ransomware payments, making financial tracking more challenging. The report also points to a growing trend of younger individuals becoming involved in cryptocurrency-related activities, sometimes without understanding the legal risks.

AI-Driven Fraud Expands Across Europe

The IOCTA 2026 report identifies artificial intelligence as a major driver of online fraud. Cybercriminals are using generative AI tools to create highly targeted phishing campaigns and social engineering attacks. These tools allow attackers to:

• Personalize fraudulent messages at scale
• Mimic legitimate communication styles
• Automate large-scale scam operations

The report also highlights the use of caller ID spoofing and SIM farms, which enable attackers to send thousands of messages or calls simultaneously. This combination of AI and automation is increasing both the reach and success rate of fraud campaigns.

Ransomware and Data Extortion Remain Key Threats

Ransomware continues to be a dominant threat, as outlined in the IOCTA 2026 report. A large number of active ransomware groups were observed throughout 2025, with many adopting data extortion tactics. Instead of relying solely on encryption, attackers are increasingly threatening to release stolen data to pressure victims into paying. This shift has made cyberattacks more damaging, particularly for public institutions and large organizations. The report also notes growing links between state-sponsored actors and criminal groups, with some cybercriminals acting as proxies in broader geopolitical strategies. Emerging hacking coalitions are adding another layer of complexity to the threat landscape.

Rise in Online Child Exploitation and Criminal Networks

The IOCTA 2026 report highlights a concerning increase in online child sexual exploitation cases. The financial trade of child abuse material is growing, and the use of synthetic content is creating new challenges for investigators. Encrypted messaging platforms are widely used by offenders, making it harder for authorities to monitor and intervene. The report also points to the emergence of organized online communities that engage in multiple forms of criminal activity. These networks combine cybercrime with violent offenses, creating a complex and dangerous ecosystem that extends beyond digital spaces.

Need for Stronger Law Enforcement Collaboration

The findings of the IOCTA 2026 report reinforce the need for improved coordination between governments, law enforcement agencies, and industry stakeholders. As cyber threats become more advanced, isolated efforts are no longer sufficient. The report provides actionable insights and recommendations aimed at strengthening investigative capabilities and improving response strategies. It also stresses the importance of innovation in tackling new forms of cybercrime.

Operation PowerOFF shut down 53 DDoS-for-hire domains, arrested four suspects, and exposed data on over 3 million criminal user accounts.

Operation PowerOFF is an international law enforcement action that dismantled 53 domains linked to DDoS-for-hire services used by over 75,000 cybercriminals. Authorities arrested four suspects, seized infrastructure, and gained access to databases containing more than 3 million user accounts. They are now warning identified users, while continuing investigations with multiple search warrants.

DDoS-for-hire services, or “booters,” are illegal platforms that let users pay to launch DDoS attacks that flood websites or servers with traffic, causing outages. They are used for harassment, extortion, or disruption and can lead to serious legal consequences for users.

“On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services.” reads the press release published by EUROPOL. “With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants.”

21 countries participated in the law enforcement operation PowerOFF: Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Sweden, Thailand, the U.K., and the U.S.

Authorities disrupted booter services by seizing servers and infrastructure used to launch attacks, limiting further harm. Access to seized databases with over 3 million user accounts enabled coordinated global actions against cybercriminals and raised awareness about the illegality of these services.

Operation PowerOFF continues with a strong prevention phase to stop future DDoS attacks. Authorities launched campaigns targeting users, including ads warning young people searching for attack tools, removal of over 100 malicious URLs, and warning messages sent via blockchains used for payments. They also updated the official website to highlight ongoing actions and raise awareness about the risks and illegality of DDoS-for-hire services.

Authorities continue dismantling global DDoS-for-hire networks under Operation PowerOFF. In August 2025, the U.S. also took down the RapperBot botnet, used for large-scale attacks across more than 80 countries since 2021.

In December 2024, law enforcement agencies operating under Operation PowerOFF disrupted 27 of the most popular platforms (including zdstresser.net, orbitalstress.net, and starkstresser.net) to launch Distributed Denial-of-Service (DDoS) attacks. The authorities also arrested three administrators of these platforms in France and Germany, and identified over 300 users.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Operation PowerOFF)

Operation PowerOFF identifies and warns 75K users of DDoS-for-hire services, nets 4 arrests, and seizes 53 domains in a Europol-led crackdown.

Law enforcement agencies across Europe, the United States, and other partner nations cracked down on the commercial DDoS-for-hire ecosystem, targeting both operators and customers of services used to knock websites offline.

The coordinated effort led to the seizure of 53 domains, four arrests, 25 search warrants, and warning notices sent to more than 75,000 people suspected of using so-called “booter” or “stresser” platforms.

A Crackdown on DDoS-for-Hire

DDoS-for-hire platforms allow customers to pay relatively small fees to launch distributed denial-of-service attacks against websites, gaming services, businesses, and public infrastructure. In fact, AI-driven threat intelligence company Cyble, in a new research report released today said, DDoS was the primary mode of attack during the ongoing Iran-Israel and U.S. conflict. Cyble recorded a 140% increase in DDoS attacks targeting Israeli entities after September 2025, and at the height of the conflict, saw 40 DDoS attacks per day.

These DDoS-for-hire services often market themselves as legitimate stress-testing tools, but authorities say they are widely abused for harassment, extortion, and disruption.

The latest enforcement wave is part of the long-running international initiative known as "Operation PowerOFF," which has previously dismantled multiple booter services and disrupted related infrastructure.

Read: DDoS-for-Hire Empire Dismantled as Poland Arrests Four, U.S. Seizes Nine Domains

U.S. Authorities Seize Key Infrastructure

The U.S. Department of Justice said investigators in Alaska seized infrastructure linked to eight DDoS-for-hire domains, including services branded as Vac Stresser and Mythical Stress, both of which allegedly advertised the ability to launch tens of thousands of attacks per day. Investigators also searched backend servers tied to the platforms.

Officials did not immediately identify those behind the services, but said the action was intended to disrupt the technical backbone used to power attacks globally.

75,000 Users Contacted Directly

In one of the more unusual aspects of the operation, authorities contacted more than 75,000 suspected users directly through warning emails and letters.

Law enforcement agencies appear to be using deterrence alongside takedowns—sending a message that paying for DDoS attacks leaves a trail and may bring legal consequences.

Security experts say the tactic could be particularly effective against younger or low-level offenders who use these platforms for gaming disputes, personal retaliation, or vandalism without fully understanding the legal risks.

Investigators said they identified around three million criminal accounts connected to the wider DDoS-for-hire ecosystem. The sheer number of accounts shows how industrialized cybercrime services have become. Instead of building botnets or malware, users can simply rent attack capability on demand.

DDoS attacks overwhelm a target with traffic, often causing websites, applications, or networks to crash. While sometimes dismissed as nuisance attacks, they can disrupt hospitals, financial institutions, government portals, and emergency services.

Recent years have also seen DDoS attacks used as smokescreens to distract security teams while other intrusions unfold.

Read: Europol Issues Public Alert: ‘We Will Never Call You’ as Phone and App Scams Surge

A Persistent Cat-and-Mouse Game

Despite repeated takedowns, booter services often reappear quickly under new names, new domains, or relocated hosting providers. Researchers have found that while seizures can significantly reduce traffic in the short term, the market has proven resilient over time.

That means operations like PowerOFF may need to combine arrests, infrastructure seizures, financial disruption, and user deterrence to have lasting impact.

Alert this report is a summary of deep web and dark web source-based material and contains some facts that cannot be fully verified due to the nature of the sources. Major Issues BreachForums’ internal collapse and attempts to rebuild were observed. trust was undermined by the betrayal of moderators and the movement of funds, and […]

Police shut down 373K dark web sites in a one-man CSAM and cybercrime network run by a 35-year-old man in China, with global probe ongoing.

Authorities in the US and Europe disrupted the SocksEscort proxy service, which used the AVrecon botnet and infected about 360,000 devices since 2020.

Law enforcement agencies in the US and Europe have disrupted SocksEscort, a malicious proxy service powered by the AVrecon botnet. Active since 2020, the service hijacked roughly 360,000 devices and allowed cybercriminals to route traffic through compromised systems to support illegal activities.

On March 11, 2026, Europol and partners from the US and several European countries launched Operation Lightning against the SocksEscort. The service had compromised more than 369,000 routers and IoT devices across 163 countries, providing over 35,000 proxies to customers. Authorities seized 34 domains and 23 servers in seven countries and froze $3.5 million in cryptocurrency while disconnecting infected devices from the network.

An investigation led by Europol found a botnet of infected devices, mainly residential routers exploited through vulnerabilities. The network supported cybercrime activities such as ransomware operations, DDoS attacks, and the distribution of child sexual abuse material.

“The compromised devices were infected through a vulnerability in the residential modems of a specific brand. Customers of the criminal service paid for licences to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities.” reads the press release published by Europol. “To protect against such exploits, users, and vendors are advised to update the firmware of their devices regularly.”

The SocksEscort platform sold access to compromised IP addresses from infected routers and modems worldwide, allowing criminals to hide their identity online. Victims were unaware their devices were abused for illicit activity. According to Europol, customers paid anonymously with cryptocurrency, generating over €5 million in revenue.

“Cybercrime thrives on anonymity. Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection. By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale.” said Catherine De Bolle, the Europol Executive Director. “Operations like this show that when investigators connect the dots internationally, the infrastructure behind cybercrime can be exposed and shut down.”

The US DoJ confirmed also wrote that crooks used the SocksEscort network to hide their real IP addresses and locations while carrying out fraud, including bank and cryptocurrency account takeovers and fake unemployment claims in the U.S. Victims lost millions, including $1M from a crypto investor and $700K from a manufacturing firm. Authorities from Austria, France, and the Netherlands helped dismantle the infrastructure.

“According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers. Since the summer of 2020, SocksEscort has offered to sell access to about 369,000 different IP addresses.” states the DoJ. “As of February 2026, the SocksEscort application listed approximately 8,000 infected routers to which its customers could buy access, of those, 2,500 were in the United States.”

In July 2023, Lumen Black Lotus Labs uncovered a long-running hacking campaign targeting SOHO routers with a strain of malware dubbed AVrecon. The malware was spotted for the first time in May 2021, but has been operating under the radar for more than two years.

“Lumen Black Lotus Labs identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.”” reads the analysis published by Lumen.

Threat actors behind the campaign aimed at building a botnet to use for a range of criminal activities, from password spraying to digital advertising fraud.

The AVrecon malware was written in C to ensure portability and designed to target ARM-embedded devices. The experts discovered that the malicious code had been compiled for different architectures.

Black Lotus Labs announced it had partnered with the Department of Justice in taking down the proxy network known.

“This botnet posed a significant threat, as it was marketed exclusively to criminals and composed solely of compromised edge devices. Over the past several years, SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).” Lumen experts wrote on LinkedIn.

More than half of the victims were located in the United States and the United Kingdom, allowing attackers to conduct highly targeted operations and increasing the risks associated with the SocksEscort proxy network.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AVrecon botnet)

An international law enforcement operation has dismantled LeakBase, a major online marketplace for stolen data that had become a central hub for cybercriminal activity. The cybercrime forum dismantled during the coordinated crackdown had amassed more than 142,000 registered users and hosted thousands of posts offering leaked databases and stolen credentials. The operation, coordinated by Europol, targeted the infrastructure of the platform as well as several of its most active users. Investigators carried out coordinated enforcement actions between 3 and 4 March, marking one of the latest global efforts to disrupt the underground economy that thrives on stolen personal and corporate data. Authorities say the cybercrime forum dismantled operation significantly disrupted a platform that had been widely used by criminals to trade compromised information and facilitate further cyberattacks.

LeakBase: A Growing Marketplace for Stolen Credentials

Active since 2021, LeakBase operated openly on the web and primarily used English, allowing it to attract a global community of cybercriminals. The forum specialised in trading leaked databases and so-called “stealer logs,” which are collections of credentials captured by infostealer malware. These logs typically contain email addresses, passwords and other authentication data that criminals use to access online accounts. Once obtained, the information can be used for account takeovers, fraud schemes and further cyber intrusions. [caption id="attachment_109931" align="aligncenter" width="1024"] Image Source: Europol[/caption] Over time, LeakBase developed a structured system that helped it grow rapidly. The forum used a credit-based economy and reputation system, allowing users to build credibility within the community and gain access to more valuable data. This system helped maintain trust among offenders and kept the marketplace active. Despite being an international platform, LeakBase reportedly had an internal rule that prohibited the sale or publication of data related to Russia, highlighting the unusual dynamics that sometimes exist within cybercrime networks. By December 2025, the forum had accumulated more than 142,000 registered users, around 32,000 posts, and over 215,000 private messages, underscoring its role as a major player in the underground data-trading ecosystem.

Coordinated Global Action Against the Cybercrime Forum

The cybercrime forum dismantled operation involved law enforcement authorities from several countries, including Australia, Belgium, Canada, Germany, Greece, Malaysia, the Netherlands, Poland, Portugal, Romania, Spain, the United Kingdom and the United States. On 3 March, authorities launched coordinated enforcement actions that included arrests, house searches and “knock-and-talk” visits targeting individuals suspected of being heavily involved in the forum’s activity. Around 100 enforcement actions were conducted globally, with investigators focusing on 37 of the most active users of the platform. The following day, authorities moved to the technical disruption phase of the operation. Investigators seized the forum’s domain and replaced the website with a law enforcement notice, effectively shutting down the platform and preventing further activity. Officials say the investigation is now entering a prevention phase that aims to deter others from engaging in similar cybercrime operations.

Europol’s Role in Tracking the Forum

Europol analysts played a key role in the investigation by mapping the infrastructure of the LeakBase forum and analyzing user activity across the platform. Investigators cross-matched the forum’s data with ongoing cases across Europe and other regions, helping identify suspects and connect digital evidence across multiple jurisdictions. At Europol’s headquarters in The Hague, a dedicated operational data sprint brought together specialists to process the seized information quickly. A data scientist also supported the investigation by structuring millions of data points to generate actionable leads for law enforcement teams. The operation was carried out within the framework of the Joint Cybercrime Action Taskforce (J-CAT), which supports international cybercrime investigations.

Anonymity in Cybercrime Is Often an Illusion

Authorities say the investigation also exposed how fragile anonymity can be within the cybercrime world. By seizing the forum’s database, investigators were able to identify and deanonymise several users who believed they were operating under complete anonymity. In some cases, investigators contacted suspects directly through the same online channels that had been used to facilitate criminal activity. Edvardas Šileris, Head of Europol’s European Cybercrime Centre, said the operation sends a clear signal to cybercriminals operating online. “This operation shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.”

Stolen Data Rarely Disappears

Investigators also warn that the shutdown of LeakBase highlights a broader reality about cybercrime. When organizations or individuals suffer a data breach, the stolen information often resurfaces on underground platforms where it can be reused for scams, phishing campaigns or identity theft. While the cybercrime forum dismantled operation is a significant step, experts caution that similar marketplaces can quickly emerge to replace them. For individuals, authorities emphasize the importance of basic cybersecurity hygiene, including using strong and unique passwords and enabling multi-factor authentication to reduce the risk of compromised accounts.

Europol’s Project Compass led to 30 arrests targeting ‘The Com’ network, identifying 62 victims and protecting four children from harm.

A yearlong operation, code-named Project Compass, led by Europol has dealt a major blow to The Com,’ a cybercrime network known for targeting children and teenagers. The joint effort, called Project Compass and coordinated by Europol’s European Counter Terrorism Centre, brought together law enforcement agencies from 28 countries.

“The Com” operates through a scattered online network, using social media, messaging apps, gaming platforms and streaming services to recruit and exploit young people. Its decentralized structure makes.

The Com is mostly composed of English-speaking cybercriminals aged 16 to 25. The group has been linked to attacks ranging from crippling British retailers’ IT systems to making bomb threats and coercing teenage girls into self-harm. Its latest alleged victims are premium users of Pornhub, whose data was reportedly hacked by ShinyHunters, an offshoot tied to the broader Com network, which includes Scattered Spider.

Since January 2025, Project Compass has delivered significant operational results, including the safeguarding of four victims and the arrest of 30 perpetrators. Investigators identified or partially identified 62 victims and 179 suspects, while also carrying out nine joint awareness initiatives. The project has strengthened cross-border cooperation among 28 countries, enabling coordinated investigations, faster responses to emerging threats, and structured information sharing.

“These networks deliberately target children in the digital spaces where they feel most at ease. Project Compass allows us to intervene earlier, safeguard victims and disrupt those who exploit vulnerability for extremist purposes.” said Anna Sjöberg, Head of Europol’s European Counter Terrorism Centre. “No country can address this threat alone – and through this cooperation, we are closing the gaps they try to hide in.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed.

Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party — arbitrating disputes between criminals — and guaranteeing the security of transactions on XSS. A statement from Ukraine’s SBU security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.

Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.

The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha’s accounts on other forums have been silent since the raid.

Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha’s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals.

Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.

One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator.

CROSS-SITE GRIFTING

Clues about Toha’s early presence on the Internet — from ~2004 to 2010 — are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru.

DomainTools.com finds Toha’s email address — toschka2003@yandex.ru — was used to register at least a dozen domain names — most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).

Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev in Moscow.

This Avdeev surname came up in a lengthy conversation with Lockbitsupp, the leader of the rapacious and destructive ransomware affiliate group Lockbit. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha’s real-life identity.

Lockbitsupp didn’t share why he wanted Toha’s details, but he maintained that Toha’s real name was Anton Avdeev. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.

It appears Lockbitsupp’s query was based on a now-deleted Twitter post from 2022, when a user by the name “3xp0rt” asserted that Toha was a Russian man named Anton Viktorovich Avdeev, born October 27, 1983.

Searching the web for Toha’s email address toschka2003@yandex.ru reveals a 2010 sales thread on the forum bmwclub.ru where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.

A search on the phone number 9588693 in the breach tracking service Constella Intelligence finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.

Astute readers may have noticed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.

A FLY ON THE WALL

For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko, a former cybercriminal from Ukraine who now works at the security startup paranoidlab.com. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz, an encrypted “Jabber” instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users’ activity, and its administrator was always a trusted member of the community.

The reason I know this historic tidbit is that in 2013, Vovnenko — using the hacker nicknames “Fly,” and “Flycracker” — hatched a plan to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.

I happened to be lurking on Flycracker’s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].

Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.

Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and/or an XSS administrator who went by the nicknames N0klos and Sonic.

“When I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,” Vovnenko said of the Jabber domain. “Nobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.”

N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.

Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that “the French cops took the wrong guy.”

WHO IS TOHA?

So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha’s email address and the name and phone number of a Russian citizen was simply misdirection on Toha’s part — intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha’s domains.

But sometimes the simplest answer is the correct one. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.

Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well an an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.

My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university — a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy’s birthday is Dec. 11, 1987.

The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS’s future spooling out across the forums.

XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum’s  homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS “admin” said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.

However, the new admin’s assurances appear to have done little to assuage the worst fears of the forum’s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.

Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.

“The myth of the ‘trusted person’ is shattered,” the user “GordonBellford” cautioned on Aug. 3 in an Exploit forum thread about the XSS admin arrest. “The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.”

GordonBellford continued:

And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:

Graphs of your contacts and activity.
Relationships between nicknames, emails, password hashes and Jabber ID.
Timestamps, IP addresses and digital fingerprints.
Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.

They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.