On July 22, 2025, the XXX.is forum, one of the largest and longest-standing Russian-speaking cybercrime marketplaces, was taken offline after a coordinated, multi-year investigation involving Ukrainian authorities, French police, and Europol. The forum’s main domain was seized and replaced with a law enforcement notice. However, today, the XSS forum re-emerged within 24 hours on its mirror sites and .onion domains on the dark web. A statement posted by an administrator account claimed the forum’s infrastructure remained intact and reassured users that restoration efforts were underway. Security researchers say, not so fast. Is this a real-life resurrection or a law enforcement honeypot?
Background on XSS Forum
Originally known as DaMaGeLaB before rebranding in 2017, XSS distinguished itself as a hub for illicit activities including the trade of stolen data, malware distribution, hacking services, ransomware recruitment, and unauthorized access to compromised systems. With over 50,000 registered users, it functioned on both clearnet and dark web platforms, maintaining a reputation that often served as a gateway into more elite cybercriminal communities.
The suspected administrator of XSS reportedly accrued more than €7 million in illicit revenue from advertising and facilitating transactions within the forum’s marketplace. The scale and longevity of XSS made it a significant target for law enforcement agencies worldwide.
Swift Reappearance Raises Questions
This rapid resurgence has prompted both skepticism and concern within the cybercriminal community and security circles. Experts warn that the revived sites could potentially be operated or monitored by law enforcement agencies as honeypots designed to track returning users and gather intelligence.
