On July 22, 2025, the European police company Europol<\/strong> mentioned<\/a> a long-running investigation led by the French Police resulted within the arrest of a 38-year-old administrator of XSS,<\/b>\u00a0a Russian-language cybercrime discussion board with greater than 50,000 members. The motion has triggered an ongoing frenzy of hypothesis and panic amongst XSS denizens concerning the id of the unnamed suspect, however the consensus is that he’s a pivotal determine within the crime discussion board scene who goes by the hacker deal with \u201cToha<\/strong>.\u201d Right here\u2019s a deep dive on what\u2019s knowable about Toha, and a brief stab at who obtained nabbed.<\/p>\n An unnamed 38-year-old man was arrested in Kiev final month on suspicion of administering the cybercrime discussion board XSS. Picture: ssu.gov.ua.<\/p>\n<\/div>\n Europol didn’t title the accused, however printed partially obscured images of him from the raid on his residence in Kiev. The police company mentioned the suspect acted as a trusted third get together \u2014 arbitrating disputes between criminals \u2014 and guaranteeing the safety of transactions on XSS. A assertion<\/a> from Ukraine\u2019s SBU<\/strong> safety service mentioned XSS counted amongst its members many cybercriminals from varied ransomware teams, together with REvil<\/strong>, LockBit<\/strong>, Conti<\/strong>, and Qiliin<\/strong>.<\/p>\n For the reason that Europol announcement, the XSS discussion board resurfaced at a brand new deal with on the deep internet (reachable solely through the anonymity community Tor<\/a>). However from reviewing the latest posts, there seems to be little consensus amongst longtime members concerning the id of the now-detained XSS administrator.<\/p>\n Probably the most frequent remark concerning the arrest was a message of solidarity and assist for Toha, the deal with chosen by the longtime administrator of XSS and a number of other different main Russian boards. Toha\u2019s accounts on different boards have been silent for the reason that raid.<\/p>\n Europol mentioned the suspect has loved a virtually 20-year profession in cybercrime, which roughly traces up with Toha\u2019s historical past. In 2005, Toha was a founding member of the Russian-speaking discussion board Hack-All. <\/strong>That’s, till it obtained massively hacked a couple of months after its debut. In 2006, Toha rebranded the discussion board to exploit[.]in<\/strong><\/a>, which might go on to attract tens of hundreds of members, together with an eventual Who\u2019s-Who of needed cybercriminals.<\/p>\n Toha introduced in 2018 that he was promoting the Exploit discussion board, prompting rampant hypothesis on the boards that the customer was secretly a Russian or Ukrainian authorities entity or entrance individual. Nevertheless, these suspicions had been unsupported by proof, and Toha vehemently denied the discussion board had been given over to authorities.<\/p>\n One of many oldest Russian-language cybercrime boards was DaMaGeLaB<\/strong>, which operated from 2004 to 2017, when its administrator \u201cAr3s\u201d was arrested. In 2018, a partial backup of the DaMaGeLaB discussion board was reincarnated as xss[.]is<\/a>, with Toha as its acknowledged administrator.<\/p>\n Clues about Toha\u2019s early presence on the Web \u2014 from ~2004 to 2010 \u2014 can be found within the archives of Intel 471<\/strong>, a cyber intelligence agency that tracks discussion board exercise. Intel 471 exhibits Toha used the identical e-mail deal with throughout a number of discussion board accounts, together with at Exploit, Antichat<\/strong>, Carder[.]su<\/strong> and inattack[.]ru.<\/strong><\/p>\n DomainTools.com<\/strong> finds Toha\u2019s e-mail deal with \u2014 toschka2003@yandex.ru<\/strong> \u2014 was used to register a minimum of a dozen domains \u2014 most of them from the mid- to late 2000s. Other than exploit[.]in and a website known as ixyq[.]com<\/strong>, the opposite domains registered to that e-mail deal with finish in .ua, the top-level area for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).<\/p>\n A 2008 snapshot of a website registered to toschka2003@yandex.ru and to Anton Medvedovsky in Kiev. Word the message on the backside left, \u201cProtected by Exploit,in.\u201d Picture: archive.org.<\/p>\n<\/div>\n Practically the entire domains registered to toschka2003@yandex.ru comprise the title Anton Medvedovskiy<\/strong> within the registration information, apart from the aforementioned ixyq[.]com, which is registered to the title Yuriy Avdeev<\/strong> in Moscow.<\/p>\n This Avdeev surname got here up in a prolonged dialog with Lockbitsupp<\/a>, the chief of the rapacious and harmful ransomware affiliate group Lockbit<\/strong>. The dialog befell in February 2024, when Lockbitsupp requested for assist figuring out Toha\u2019s real-life id.<\/p>\n In early 2024, the chief of the Lockbit ransomware group \u2014 Lockbitsupp \u2014 requested for assist investigating the id of the XSS administrator Toha, which he claimed was a Russian man named Anton Avdeev.<\/p>\n<\/div>\n Lockbitsupp didn\u2019t share why he needed Toha\u2019s particulars, however he maintained that Toha\u2019s actual title was Anton Avdeev<\/strong>. I declined to assist Lockbitsupp in no matter revenge he was planning on Toha, however his query made me curious to look deeper.<\/p>\n It seems Lockbitsupp\u2019s question was primarily based on a now-deleted Twitter put up from 2022, when a person by the title \u201c3xp0rt<\/a>\u201d asserted that Toha was a Russian man named Anton Viktorovich Avdeev<\/strong>, born October 27, 1983.<\/p>\n Looking the net for Toha\u2019s e-mail deal with toschka2003@yandex.ru reveals a 2010 gross sales thread<\/a> on the discussion board bmwclub.ru<\/strong> the place a person named Honeypo was promoting a 2007 BMW X5. The advert listed the contact individual as Anton Avdeev and gave the contact telephone quantity 9588693.<\/strong><\/p>\n A search on the telephone quantity 9588693 within the breach monitoring service Constella Intelligence<\/strong> finds loads of official Russian authorities information with this quantity, date of start and the title Anton Viktorovich Avdeev. For instance, hacked Russian authorities information present this individual has a Russian tax ID and SIN (Social Safety quantity), and that they had been flagged for visitors violations on a number of events by Moscow police; in 2004, 2006, 2009, and 2014.<\/p>\n Astute readers might have observed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would appear to counsel that the individual arrested is somebody aside from Mr. Avdeev, who didn’t reply to requests for remark.<\/p>\n For additional perception on this query, KrebsOnSecurity sought feedback from Sergeii Vovnenko<\/strong>, a former cybercriminal from Ukraine who now works on the safety startup paranoidlab.com<\/strong>. I reached out to Vovnenko as a result of for a number of years starting round 2010 he was the proprietor and operator of thesecure[.]biz<\/strong>, an encrypted \u201cJabber\u201d instantaneous messaging server that Europol mentioned was operated by the suspect arrested in Kiev. Thesecure[.]biz grew fairly in style amongst most of the high Russian-speaking cybercriminals as a result of it scrupulously saved few information of its customers\u2019 exercise, and its administrator was at all times a trusted member of the group.<\/p>\n The rationale I do know this historic tidbit is that in 2013, Vovnenko \u2014 utilizing the hacker nicknames \u201cFly<\/strong>,\u201d and \u201cFlycracker<\/strong>\u201d \u2014 hatched a plan<\/a> to have a gram of heroin bought off of the Silk Highway darknet market and shipped to our house in Northern Virginia. The scheme was to spoof a name from one among our neighbors to the native police, saying this man Krebs down the road was a druggie who was having narcotics delivered to his house.<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/xss-sbu.png\")
<\/p>\nCROSS-SITE GRIFTING<\/h2>\n
![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/exploit-deleted-ua.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/lcokbitsupp-convo.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/bmw-toha.png\")
<\/p>\nA FLY ON THE WALL<\/h2>\n