惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 聂微东
博客园 - 【当耐特】
Last Week in AI
Last Week in AI
量子位
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
B
Blog RSS Feed
V
V2EX
酷 壳 – CoolShell
酷 壳 – CoolShell
雷峰网
雷峰网
GbyAI
GbyAI
Jina AI
Jina AI
宝玉的分享
宝玉的分享
腾讯CDC
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
D
Docker
博客园_首页
N
News and Events Feed by Topic
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
F
Fortinet All Blogs
SecWiki News
SecWiki News
AI
AI
S
Schneier on Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
The Last Watchdog
The Last Watchdog
Martin Fowler
Martin Fowler
A
About on SuperTechFans
T
Troy Hunt's Blog
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
Hacker News: Ask HN
Hacker News: Ask HN
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
I
InfoQ
S
Security @ Cisco Blogs
Project Zero
Project Zero
Simon Willison's Weblog
Simon Willison's Weblog
C
Cyber Attacks, Cyber Crime and Cyber Security
J
Java Code Geeks
N
News | PayPal Newsroom
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
H
Hacker News: Front Page

Threat Intelligence Blog | Flashpoint

Inside Qilin Ransomware: Custom Rust Loader and Kernel-Level EDR Killer Understanding Illicit Ecosystems: How Dark Web Forums Structure Cybercrime AI, Trust, and the Future of Threat Intelligence Remus Stealer: A New, Not-So-New Infostealer America250 Fourth of July Threat Assessment Unmasking the Digital Trail: Essential Techniques for Vetting AI-Generated Content The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04 Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure Connecting Vulnerability Intelligence to Real-World Exposure With Flashpoint EASM How to Align and Measure Threat Intelligence Operations: Flashpoint Priority Intelligence Requirements The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation Understanding Illicit Ecosystems: The Hybrid Threat of “The Com” AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities How Mergers and Acquisitions Expand Your Attack Surface Overnight The Evolution of the Geotag: How AI is Bridging the Gap in Location-Based OSINT Navigating the Threat Landscape of the 2026 FIFA World Cup Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains How to Build and Operationalize Priority Intelligence Requirements National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online What the NVD ‘Slowdown’ Means For You: How to Stay Ahead in Vulnerability Management Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026 Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report What to Know About the Notepad++ Supply-Chain Attack Cyber Threat Intelligence Index: Q3 2023 Edition Beyond Hamas: Militant and Terrorist Groups Involved in the October 7 Attack on Israel The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram About Us Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware Unmasking the Attacker and Decoding Threat Actor Patterns The Flashpoint Firehose: 5 Questions With Michael Raypold, VP of Engineering The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism Lessons From Clop: Combating Ransomware and Cyber Extortion Events How to Combat Check Fraud: Leveraging Intelligence to Prevent Financial Loss Beyond Gates and Alarms: The Scope and Impact of Physical Security Intelligence Why We Built Flashpoint Ignite: Unity, Power, and Performance The Risk-Reducing Power of Flashpoint Video Search Card Shop Threat Landscape: BidenCash Dumps 2.1M Stolen Credit Cards Flashpoint in 2023: A Note From Our CEO 5 Reasons Taiwan Is a Growing Source of US-China Tension Why We Acquired Echosec Systems: The OSINT Revolution Open Source Intelligence
Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground
Flashpoint Intel Team · 2026-06-03 · via Threat Intelligence Blog | Flashpoint

What is XSS?

For more than two decades, XSS was the gathering ground for the Russian-speaking cybercriminal underground. Evolving from its former name, DaMaGeLaB, XSS evolved from a mid-tier message board into a top-tier hacking forum.

XSS is home to vendors of various crime types, including loaders, phishing, scamming, carding, malware development, distributed denial-of-service (DDoS) bots, and related services. It also facilitates the trade of illicit goods and services, while simultaneously serving as a networking and recruitment hub for threat actors.

XSS forum content falls within the following main sections:

  • “Underground”: Includes most noncommercial content, such as sharing information on malware, vulnerabilities, and exploits, phishing, fraud, open source intelligence, artificial intelligence, and machine learning.
  • “Programming, Development”: Includes posts and articles about programming languages and administration.
  • “Library”: Includes news articles, databases, and discussions around software and tools. Users also post about vulnerabilities and exploits.
  • “Business Decisions”: Users discuss different investments, the sale of digital goods, trading, start-ups of fraudulent businesses, and news about cryptocurrencies.
  • “Lounge Zone, Resting”: Content involves lifestyle discussions, hobbies, and cybercriminal community rumors and scandals.
  • “Trading Platform”: Users sell and look to buy network access, malware, counterfeit documents, and advertise their services. This is where users hire and look for work or partners.
  • “People’s Court”: Used for complaints and arbitration and contains lists of phishing forums and scammers.
  • “Ours”: Contains information about the XSS project, discussions on issues, suggestions, and initiatives for forum improvement.
  • “Private: Underground”: Closed section for only forum members.
XSS forum main sections (Source: XSS)

XSS Disruption: July 2025 Takedown

On July 23, 2025, law enforcement organizations reportedly seized XSS as part of a multinational operation with Ukrainian authorities, French police, and Europol. Alongside the domain seizure, French authorities reported the arrest of XSS’s longtime administrator in Ukraine.

This arrest triggered an immediate chain reaction that has had lasting effects on the Russian-speaking underground—with the XSS ecosystem splintering into several competing factions.

The Current State of the Russian-Speaking Underground

While the original XSS architecture was severely disrupted, the surrounding Russian-speaking cybercriminal ecosystem remains intensely active. However, instead of a centralized hub, the XSS ecosystem is spread out through competing environments that emerged directly from the fallout of the takedown.

DamageLib

Launched by the legacy moderators of XSS, DamageLib represents a structural pivot away from standard illicit forums. Concluding that the old XSS site was compromised by law enforcement, the moderators launched a new model that completely abandons commerce—shutting down all buying, selling, and auctions entirely—-to eliminate user tracking and surveillance. Instead, it focuses strictly on technical materials and tutorials.

Rehub

Recognizing that displaced cybercriminals still required a commercial venue to trade, a former XSS moderator launched Rehub quickly after the emergence of DamageLib. Rehub immediately integrated a commercial platform, successfully recruiting prominent threat actors into its moderation team to establish underground credibility.

The forum is still in its development stage, with its content being populated, and an active member base being built.

XSS[.pro]

In early August 2025, an unknown entity launched an alleged resurrection of the forum on a new domain [.pro], utilizing old backups that preserved legacy user data, threads, and forum deposits. However, this new version has been met with significant distrust from Exploit and DamageLib, believing the [.pro] domain to be a honeypot controlled by law enforcement.

XSSF Forum

Started by a pro-Russian Telegram hacking group, this community actively targets EU and Ukrainian digital infrastructure. According to user discussions on DamageLib, this forum is not related to XSS. In addition, Flashpoint analysts note that targeting Ukrainian infrastructure directly contradicts its original community rules. The authenticity of this forum and its ownership has not been verified.

Monitor a Fractured Underground Using Flashpoint

While law enforcement achieved a significant victory over XSS, they did not eliminate the Russian-speaking cybercriminal underground. Instead, they broke the foundational trust mechanics that had kept it centralized for twenty years.

This has left the Russian-speaking underground in a deeply fractured state that is still intensely active and highly adaptive. For defenders and analysts, this threat has not diminished—it has diversified. Tracking this ecosystem no longer means watching a single centralized community, but rather actively mapping out the live migrations, shifting rules, and behavioral patterns across these splintered groups.

Request a demo to learn how Flashpoint helps security teams aggregate intelligence from these scattered factions into a single source of truth, empowering your organization to proactively monitor and intercept emerging threats.