The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, who goes by the hacker handle “Toha.” Toha is considered a pivotal figure in the crime forum scene, known for his nearly 20-year career in cybercrime, which roughly aligns with his history.
According to Europol, the suspect acted as a trusted third party - arbitrating disputes between criminals - and guaranteeing the security of transactions on XSS. The police agency said Toha was responsible for administering the forum.
Ukraine's SBU security service stated that XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin. Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor).
However, reviewing recent posts suggests that there is little consensus among longtime members about Toha's identity. The most frequent response to the arrest was a message of solidarity and support for Toha, with some forum users expressing concern about the implications of his detention.
Toha's accounts on other forums have been silent since the raid. Europol stated that the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha's history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All.
In 2018, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals. One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017.
In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator. Clues about Toha's early presence on the Internet - from ~2004 to 2010 - are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity.
Intelligence firm Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru. DomainTools.com finds Toha's email address — toschka2003@yandex.ru - was used to register at least a dozen domain names.
DomainTools.com also reveals that the domains registered to toschka2003@yandex.ru end in .ua, the top-level domain for Ukraine. A 2008 snapshot of a domain registered to toschka2003@yandex.ru and Anton Medvedovsky in Kiev shows a message protected by Exploit,in.
Europol's investigation into Toha has sparked controversy among Russian cybercrime enthusiasts. Some believe that the French authorities took the wrong person, while others express skepticism about Toha's identity.
A former cybercriminal from Ukraine, Sergeii Vovnenko, believes that Toha is Russian and was wrongly arrested by the French authorities. Vovnenko shares his own story of how he interacted with Toha in the past.
According to Vovnenko, Toha was involved in a scheme to purchase heroin on the Silk Road darknet market. The plan was foiled when Vovnenko's neighbor contacted local authorities, leading to his arrest and deportation.
Vovnenko also reveals that Toha shipped him a device for cloning credit cards from Russia in 2009. He believes that Toha may have stolen the Jabber domain while he was in jail.
After the raid on XSS, there has been an outpouring of speculation and concern among Russian cybercrime enthusiasts. Many forum members are keeping their distance from the relaunched site due to concerns about security and trust.
One user noted that the Ukrainian and French authorities now have access to years' worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.
This has raised concerns among some forum members, who believe that their online activities are being monitored. "The myth of the 'trusted person' is shattered," one user noted.