From the Arrest of XSS Admin “Toha” to the Birth of Rehubcom

The underground cybercrime ecosystem has just witnessed one of the most significant disruptions of the last decade. What began as a law enforcement operation against a well-known forum administrator has now evolved into a geopolitical reshaping of the Russian-speaking underground.

The Arrest of “Toha”

On July 22, 2025, Ukrainian law enforcement, supported by French police and Europol, arrested a 38-year-old man known in the underground community as “Toha”, the alleged administrator of the infamous XSS forum.

• Authorities linked him to multi-million euro ransomware and malware operations, including serving as a broker and arbitrator in cybercriminal disputes.

• Investigations reportedly traced him back to communications via a Jabber server thesecure.biz, which was heavily used by XSS members.

• According to Reuters, his activities are estimated to have generated over €7 million.

This arrest not only removed one of the key figures in the Russian-speaking underground, but also destabilized one of the most influential platforms in the cybercriminal economy.

Why XSS Matters

Founded in the early 2010s, XSS became one of the most important Russian-language cybercrime forums. With tens of thousands of members and daily activity ranging from malware sales to exploit trading and access brokering, it served as a backbone for several ransomware groups.

• Threat actors used XSS to buy and sell corporate network access, develop custom malware, and share zero-day exploits.

• The forum had a reputation for strict moderation and internal arbitration, making it a “trusted marketplace” in a space where scams are frequent.

In short: XSS was not just another underground forum — it was a pillar of the cybercriminal ecosystem.

The Fallout: Distrust and Migration

After “Toha’s” arrest, the forum went silent for days. Then, suspicious changes appeared:

• Posts were deleted or censored, fueling rumors.

• Unknown administrators suddenly gained control.

• Moderators stopped communicating, sparking speculation of a law enforcement takeover.

Very quickly, members began to suspect that XSS was compromised — potentially even controlled by the Russian FSB, transforming it into a *honeypot* for monitoring and deanonymizing cybercriminals.

To protect themselves, XSS moderators made a decisive move: they abandoned XSS and created a new forum: rehubcom.pro.

The Birth of Rehubcom.pro

The launch of rehubcom.pro marks the beginning of a new chapter:

• The forum is promoted as independent, “clean,” and free from state interference.

• Ex-moderators invited the community to migrate, framing XSS as unsafe.

• In just days, activity began to grow as users shifted to the new platform.

According to analyses by cyber intelligence firms, this migration could reshape the underground just as much as the fall of RaidForums in 2022 or Hydra Market in 2022.

The Bigger Picture: Cybercrime Meets Geopolitics

This event highlights a reality many in cybersecurity already understood: cybercrime is geopolitical.

• When a forum is infiltrated or taken over, it no longer serves only criminals — it may become a tool for state surveillance and counterintelligence.

• Criminals, aware of this, self-migrate to preserve operational security.

• The fragmentation of underground communities makes them harder to track, but also exposes them to new risks.

For companies and defenders, this is a wake-up call:

1. Threat intelligence must adapt in real time — the landscape changes literally overnight.

2. Monitoring emerging forums like rehubcom.pro is essential to detect early ransomware, exploits, or breach data sales.

3. The intersection of law enforcement actions and state infiltration means underground markets are no longer “purely criminal” — they are contested spaces.

Conclusion

The fall of “Toha” and the birth of rehubcom.pro is not just another takedown story. It is the beginning of a new phase in the cybercrime ecosystem, where trust, independence, and geopolitics collide.

For the cybersecurity community, this migration is a reminder that:

• Criminal trust is fragile.

• Law enforcement pressure works, but creates new underground hubs.

• The next big threat may come from a freshly born forum.

The underground is moving — and so should our vigilance.