On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed.
An unnamed 38-year-old man was arrested in Kiev last month on suspicion of administering the cybercrime forum XSS. Image: ssu.gov.ua.
Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party — arbitrating disputes between criminals — and guaranteeing the security of transactions on XSS. A statement from Ukraine’s SBU security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.
Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.
The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha’s accounts on other forums have been silent since the raid.
Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha’s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals.
Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.
One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator.
Clues about Toha’s early presence on the Internet — from ~2004 to 2010 — are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru.
DomainTools.com finds Toha’s email address — toschka2003@yandex.ru — was used to register at least a dozen domain names — most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).
A 2008 snapshot of a domain registered to toschka2003@yandex.ru and to Anton Medvedovsky in Kiev. Note the message at the bottom left, “Protected by Exploit,in.” Image: archive.org.
Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev in Moscow.
This Avdeev surname came up in a lengthy conversation with Lockbitsupp, the leader of the rapacious and destructive ransomware affiliate group Lockbit. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha’s real-life identity.
In early 2024, the leader of the Lockbit ransomware group — Lockbitsupp — asked for help investigating the identity of the XSS administrator Toha, which he claimed was a Russian man named Anton Avdeev.
Lockbitsupp didn’t share why he wanted Toha’s details, but he maintained that Toha’s real name was Anton Avdeev. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.
It appears Lockbitsupp’s query was based on a now-deleted Twitter post from 2022, when a user by the name “3xp0rt” asserted that Toha was a Russian man named Anton Viktorovich Avdeev, born October 27, 1983.
Searching the web for Toha’s email address toschka2003@yandex.ru reveals a 2010 sales thread on the forum bmwclub.ru where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.
A search on the phone number 9588693 in the breach tracking service Constella Intelligence finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.
Astute readers may have noticed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.
For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko, a former cybercriminal from Ukraine who now works at the security startup paranoidlab.com. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz, an encrypted “Jabber” instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users’ activity, and its administrator was always a trusted member of the community.
The reason I know this historic tidbit is that in 2013, Vovnenko — using the hacker nicknames “Fly,” and “Flycracker” — hatched a plan to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.
I happened to be lurking on Flycracker’s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].
Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.
Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and/or an XSS administrator who went by the nicknames N0klos and Sonic.
“When I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,” Vovnenko said of the Jabber domain. “Nobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.”
N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.
Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that “the French cops took the wrong guy.”
So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha’s email address and the name and phone number of a Russian citizen was simply misdirection on Toha’s part — intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha’s domains.
But sometimes the simplest answer is the correct one. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.
Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well an an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.
My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university — a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy’s birthday is Dec. 11, 1987.
The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS’s future spooling out across the forums.
XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum’s homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS “admin” said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.
However, the new admin’s assurances appear to have done little to assuage the worst fears of the forum’s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.
Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.
“The myth of the ‘trusted person’ is shattered,” the user “GordonBellford” cautioned on Aug. 3 in an Exploit forum thread about the XSS admin arrest. “The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.”
GordonBellford continued:
And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:
Graphs of your contacts and activity.
Relationships between nicknames, emails, password hashes and Jabber ID.
Timestamps, IP addresses and digital fingerprints.
Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.
The scourge of ransomware continues primarily because of three main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.
With these three challenges in mind, law enforcement and governments have a very difficult job to do when it comes to fighting ransomware but fight it they must. In this blog we shall recall what counter-ransomware activities took place in 2024, analyse their effectiveness, and assess how the landscape shall evolve as a result.
A podcast version of this blog is also available here.
During 2024, there were significant disruption operations by
law enforcement and financial authorities targeting individuals behind
ransomware campaigns (see the Table below). The main focus of 2024 for Western
law enforcement was squarely on the LockBit RaaS and its affiliates as it was
the largest and highest earning ransomware operation to date.
Several key players of the ransomware ecosystem were
arrested, including the main developer of LockBit ransomware. Interestingly,
Russian law enforcement also decided to arrest ransomware threat actors located
in Moscow and Kaliningrad as well.
| Month | Group(s) | Law Enforcement Activity |
|---|---|---|
| February 2024 | SugarLocker, REvil | Russian authorities have identified and arrested three alleged members in Moscow of a ransomware gang called SugarLocker. |
| February 2024 | LockBit | The LockBit leak site was seized. Two LockBit affiliates were arrested in Poland and Ukraine. Up to 28 servers belonging to LockBit were taken down. |
| February 2024 | LockBit | Two Russian nationals, Ivan Kondratiev and Artur Sungatov, were sanctioned by the US Treasury for being affiliates of LockBit, among other RaaS. |
| May 2024 | LockBit | Dmitry Khoroshev, the administrator and developer of LockBit was sanctioned by the US Treasury. |
| May 2024 | IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, TrickBot | European police took down malicious spam botnets that support ransomware campaigns. This resulted in 4 arrests (1 in Armenia and 3 in Ukraine), over 100 servers and 2,000 domains being seized. One of the main suspects earned €69 million by renting out infrastructure sites to deploy ransomware. |
| June 2024 | Conti, LockBit | A Ukrainian national was arrested for supporting Conti and LockBit ransomware attacks as a crypter developer. |
| August 2024 | Reveton, RansomCartel | Maksim Silnikau, a Belarusian national, was arrested in Spain for running Reveton and RansomCartel. |
| August 2024 | Karakurt, Conti | Deniss Zolotarjovs, a Latvian national was arrested and extradited to the US from Georgia for running the Karakurt data extortion gang linked to Conti. |
| October 2024 | Evil Corp, LockBit | The UK, alongside the US and Australia, has sanctioned 16 members of Evil Corp, including Aleksandr Ryzhenkov, Viktor Yakubets, and Eduard Benderskiy. |
| November 2024 | Phobos | Evgenii Ptitsyn, a Russian national, was arrested and extradited to the US from South Korea for running the Phobos ransomware gang. |
| December 2024 | LockBit | Rostislav Panev, a dual Russian and Israeli national, was arrested in Israel for developing LockBit ransomware. |
| December 2024 | LockBit, Babuk, Hive | Mikhail “Wazawaka” Matveev was arrested in Russia for violating domestic laws against the creation and use of malware. He was fined and had his cryptocurrency seized and is awaiting trial. |
The ransomware ecosystem has fragmented due to the law enforcement disruptions of the largest players, such as
ALPHV/BlackCat and LockBit. In the case of ALPHV/BlackCat, the operators staged
a law enforcement takedown as they put up a fake seizure notice as part of
an exit scam in March 2024 after the attack on UnitedHealth.
Following these disruptions, some affiliates have migrated
to less effective strains or launched their own strains. This includes
Akira and RansomHub at the top of the list as well as Hunters International and
PLAY.
During 2024, law enforcement seized funds from and
sanctioned a number of cryptocurrency exchanges and individuals running payment
processors using cryptocurrency (see the Table below).
One of the most interesting disclosures this year came from
the UK National Crime Agency (NCA) around Operation Destablise. The NCA linked
payments to ransomware gangs to money laundering networks used by Russian
oligarchs to covertly purchase property and Russia Today, the state-run media
organization, to covertly fund pro-Russia foreign entities.
Another notable investigation in 2024 was when the US
Treasury sanctioned more Russian cryptocurrency exchanges, such as PM2BTC and
Cryptex, that led to money launderers that facilitate the cashing out of ransom
payments being arrested by Russian law enforcement.
| Month | Exchange(s) | Law Enforcement Activity |
|---|---|---|
| August 2024 | Cryptonator | The US Justice Department indicted Russian national Roman Pikulev and Cryptonator, which processed a total of $1.4 billion in transactions, of which $8 million were ransom payments. Cryptonator also has ties to other sanctioned entities including Blender, Hydra Market, Bitzlato, and Garantex, among others. |
| September 2024 | PM2BTC, Cryptex, UAPS | FinCEN identified PM2BTC as being of “primary money laundering concern” in connection with Russian illicit finance. This was alongside Cryptex and Sergey Sergeevich Ivanov, a Russian national, who is associated with UAPS and PinPays, as well as Genesis Market. Cryptex also facilitated more than $115 million of proceeds from ransomware payments. |
| September 2024 | 47 exchanges | In Operation Final Exchange, German federal police (BKA) shut down 47 cryptocurrency exchange services that ransomware gangs use that operated without requiring registration or identity verification. |
| October 2024 | Cryptex, UAPS | Russian authorities have arrested nearly 100 suspected cybercriminals linked to the anonymous payment system UAPS and the cryptocurrency exchange Cryptex. |
| November 2024 | Smart, TGR Group | The NCA uncovered a Russian money-laundering network operated by two companies called Smart and TGR Group as part of Operation Destabilise that involved UK-based cash-to-crypto networks that laundered Ryuk ransom payments as well as the money of Russian oligarchs and Russia Today. |
While ransomware is a global problem, there are only a few
countries that are to blame for this rapid expansion of the ransomware
ecosystem. The state that is blamed the most for preventing many ransomware operators
from facing justice is Russia. There are explicit rules posted to
Russian-speaking cybercrime forums that state as long as members avoid
targeting Russia and the Commonwealth of Independent States (CIS), they are
free to operate.
The Russian ransomware safe haven theory was further proven
following sanctions levied against Evil Corp by the UK, US, and Australia. One
of the sanctioned men connected to Evil Corp was Eduard
Benderskiy, a former Russian federal security service (FSB) official.
Benderskiy is reportedly
the father-in-law of Maksim Yakubets, the leader of Evil Corp, an organized cybercrime
group responsible for multiple
ransomware strains including BitPaymer, WastedLocker, Hades, PhoenixLocker,
and MacawLocker. In total, Evil Corp has reportedly extorted at least $300
million from victims globally, according to the UK NCA. It is now clear that
Evil Corp has protection from a highly connected Russian FSB official who has
also been involved
in multiple overseas assassinations on behalf of the Kremlin, according to
Bellingcat investigators.
While a number of ransomware operators were arrested in 2024
and some were extradited to the US, the work done by law enforcement
specializing in cybercrime was put in the spotlight during the August
2024 prisoner swap. Multiple countries decided to release cybercriminals,
spies and an assassin as part of a historic
prisoner exchange with Russia at an airport in Ankara, Turkey. The US negotiated
the release of 16 people from Russia, including five Germans as well as seven
Russian citizens who were political prisoners in their own country.
Notably, from a cybercrime intelligence perspective, the Russian
nationals released from the West included the infamous cybercriminals Roman
Seleznev and Vladislav Klyushin. The latter, Klyushin, was sentenced
in 2023 to nine years in US prison after he was caught in a $93 million stock
market cheating scheme that involved hacking into US companies for insider
knowledge. The other cybercriminal, Seleznev, was sentenced
to 27 years in prison in 2017 for stealing and selling millions of credit card
numbers from 500 businesses using point-of-sale (POS) malware and causing more
than $169 million in damage to small businesses and financial institutions,
including those in the US.
In 2024, we saw several more Russian nationals get
extradited to the US after being arrested by law enforcement in the country
they were residing in. This includes the Phobos operator living in South Korea
and the LockBit developer living in Israel. This follows others arrested in
previous years such as a TrickBot developer arrested
in South Korea as well as the two LockBit affiliates extradited
to the US. There is a potential that these Russian nationals involved in
ransomware could be used in prisoner exchanges in the future.
Further, another curious trend in 2024 was that some Russians
inside Russia, which is firmly considered a safe haven for ransomware gang, did
get arrested. This includes the SugarLocker operators arrested in Moscow and
the LockBit affiliate Wazawaka who was arrested in Kaliningrad. This is
alongside the money launderers arrested around Russia linked to the Cryptex
exchange.
The arrests of Russian nationals in Russia for ransomware
activities appear to be more symbolic than a true crackdown on this type of
activity. This is because there are several dozen Russian-speaking ransomware
gangs that continue to operate, as well as a plethora of other types of cybercrime
in the Russian-speaking underground.
In 2024, there was lots of significant action by law
enforcement to shake up the ransomware economy. One of the main successes of the
notable Operation Cronos action taken against LockBit was the sowing of
distrust and disharmony in the ransomware ecosystem. Despite the admins of
LockBit trying to recover, their reputation and army of affiliates have been
smashed.
Many of Russian law enforcement activities could all be
related to the costs of the Russian invasion of Ukraine. Russian authorities seizing funds of the illicit cryptocurrency exchanges could be to pay for
the war in Ukraine and they could be recruiting arresting cybercriminals for offensive
cyber operations related to the war in Ukraine. The true motivations of Russian law enforcement arresting these specific ransomware operators but allowing others to operate are unclear. The cybercriminals could also simply have not paid their protection money or lack connections in the FSB like Evil Corp has.
Due to the fall of LockBit and ALPHV/BlackCat in 2024, there has been a rise of other ransomware groups like RansomHub and Akira to fill the vacuum. However, the rate of attacks by these emerging groups is still noticeably lower than when LockBit was operating at full force. This should be perceived as a success for law enforcement operations in 2024 due to the overall number of ransomware attacks lowering, which we should all be thankful for.
Entrar