XSS

Rambler mail XSS vulnerability

A few days ago, my old mail on rambler was stolen from me and passwords were changed on 10+ sites, including Habré.
Unfortunately, it so happened that quite a lot of important sites and ICQ were tied to it.
The hacker gained access using XSS and demanded money. Namely, 1000 rubles.
I paid the money, but in the end, as expected, he did not return anything. Well, God be with them.
During these 3 days I restored access to ICQ, mail and almost all sites where passwords were changed.

But today we have been fighting him all day for my sape account.
He changes passwords and tries to withdraw money from the account.

He does this as follows:
- Puts in my mail a redirect of letters to his mailbox
- Requests password recovery in sape
- Changes the password, makes a request for withdrawal. The amount is ridiculous 160 rubles.

I change the box to which letters are sent to my own, turn off forwarding, but after a while he changes again and puts his email.

Question: How does he do it? Moreover, as I understand it, he cannot change the password on the rambler, otherwise he would have changed it long ago.
In sape, I have already ordered a mailbox change. But still I really want to know how he does it.

PS. I changed the password on the mail by logging in from another computer. The old session is still hanging on the old one and I can use the mail.
It's just a nightmare! Well, who does that?

I called Rambler, asked to reset all sessions. We are waiting for what will happen next.

I also plan to write a statement to the police.

I have:
- His IP (Kyiv and Dnepropetrovsk). Most likely VPN
- Phone number +380 registered about a month ago.
- WMID, registered about a month ago, with a formal passport with BL under a hundred.

Question: Where is the best place to go with all this business?

PS. Is it worth writing an article on how to quickly restore lost access to rambler mail?
Many complain that it takes months.