Global Law Enforcement Disrupts Lumma Infostealer in Coordinated Takedown

Authorities carry out global takedown of infostealer used by cybercriminals

A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls "cyber threat actors" to steal passwords, credit card and banking information, and cryptocurrency wallet details. The tool, which officials say is developed in Russia, has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things. Microsoft's Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma's infrastructure. At the same time, the US Department of Justice seized Lumma's command and control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated, too, with the disruption of regional Lumma infrastructure by Europol's European Cybercrime Center and Japan's Cybercrime Control Center. Microsoft lawyers wrote on Wednesday that Lumma, which is also known as LummaC2, has spread so broadly because it is "easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses." Steven Masada, assistant general counsel at Microsoft's DCU, says in a blog post that Lumma is a "go-to tool," including for the notorious Scattered Spider cybercriminal gang. Attackers distribute the malware using targeted phishing attacks that typically impersonate established companies and services, like Microsoft itself, to trick victims. "In 2025, probably following Redline's disruption and Lumma's own development, it has ranked as the most active module, indicating its growing popularity and widespread adoption among cybercriminals," says Victoria Kivilevich, director of threat research at security firm Kela. Microsoft says that more than 394,000 Windows computers were infected with the Lumma malware between March 16 and May 16 this year. And Lumma was mentioned in more than 21,000 listings on cybercrime forums in the spring of 2024, according to figures cited in a notice published today by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The malware has been spotted bundled in fake AI video generators, fake "deepfake" generation websites, and distributed by fake CAPTCHA pages. Law enforcement's collaboration with Microsoft's DCU and other tech companies like Cloudflare focused on disrupting Lumma's infrastructure in multiple ways, so its developers could not simply hire new providers or create parallel systems to rebuild. "Cloudflare's role in the disruption included blocking the command and control server domains, Lumma's Marketplace domains, and banning the accounts that were used to configure the domains," the company wrote in a blog post on Wednesday. "Microsoft coordinated the takedown of Lumma's domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control." While infostealing malware has been around for years, its use by cybercriminals and nation-state hackers has surged since 2020. Typically, infostealers find their way onto people's computers through downloads of pirated software or through targeted phishing attacks that impersonate established companies and services, like Microsoft itself, to trick victims. Once on a computer it is able to grab sensitive information -- such as usernames and passwords, financial information, browser extensions, multifactor authentication details and more -- and send it back to the malware's operators. Some infostealer operators bundle and sell this stolen data. But increasingly the compromised details have acted as a gateway for hackers to launch further attacks, providing them with the details needed to access online accounts and the networks of multi-billion dollar corporations. "It's clear that infostealers have become more than just grab-and-go malware," says Patrick Wardle, CEO of the Apple device-focused security firm DoubleYou. "In many campaigns they really act as the first stage, collecting credentials, access tokens, and other foothold-enabling data, which is then used to launch more traditional, high-impact attacks such as lateral movement, espionage, or ransomware." The Lumma infostealer first emerged on Russian-language cybercrime forums in 2022, according to the FBI and CISA. Since then its developers have upgraded its capabilities and released multiple different versions of the software. Since 2023, for example, they have been working to integrate AI into the malware platform, according to findings from the security firm Trellix. Attackers want to add these capabilities to automate some of the work involved in cleaning up the massive amounts of raw data collected by infostealers, including identifying and separating "bot" accounts that are less valuable for most attackers. One administrator of Lumma told 404Media and WIRED last year that they encouraged both seasoned hackers and new cybercriminals to use their software. "This brings us good income," the administrator said, referring to the resale of stolen login data. Microsoft says that the main developer behind Lumma goes by the online handle "Shamel" and is based in Russia. "Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums," Microsoft's Masada wrote on Wednesday. "Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal." Kela's Kivilevich says that in the days leading up to the takedown, some cybercriminals started to complain on forums that there had been problems with Lumma. They even speculated that the malware platform had been targeted in a law enforcement operation. "Based on what we see, there is a wide range of cybercriminals admitting they are using Lumma, such as actors involved in credit card fraud, initial access sales, cryptocurrency theft, and more," Kivilevich says. Among other tools, the Scattered Spider hacking group -- which has attacked Caesars Entertainment, MGM Resorts International, and other victims -- has been spotted using the Lumma stealer. Meanwhile, according to a report from TechCrunch, the Lumma malware was allegedly used in the build-up to the December 2024 hack of education tech firm PowerSchool, in which more than 70 million records were stolen. "We're now seeing infostealers not just evolve technically, but also play a more central role operationally," says DoubleYou's Wardle. "Even nation-state actors are developing and deploying them." Ian Gray, director of analysis and research at the security firm Flashpoint, says that while infostealers are only one tool that cybercriminals will use, their prevalence may make it easier for cybercriminals to hide their tracks. "Even advanced threat actor groups are leveraging infostealer logs, or they risk burning sophisticated tactics, techniques, and procedures (TTPs)," Gray says. Lumma isn't the first infostealer to be targeted by law enforcement. In October last year, the Dutch National Police, along with international partners, took down the infrastructure linked to the RedLine and MetaStealer malware, and the US Department of Justice unsealed charges against Maxim Rudometov, one of the alleged developers and administrators of the RedLine infostealer. Despite the international crackdown, infostealers have proven too useful and effective for attackers to abandon. As Flashpoint's Gray puts it, "Even if the landscape ultimately shifts due to the evolution of defenses, the growing prominence of infostealers over the past few years suggests they are likely here to stay for the foreseeable future. Usage of them has exploded." This story originally appeared at wired.com.

Authorities Carry Out Elaborate Global Takedown of Infostealer Heavily Used by Cybercriminals

US, European, and Japanese authorities, along with tech companies including Microsoft and Cloudflare, say they've disrupted Lumma, an infostealer popular with criminal gangs. A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls "cyber threat actors" to steal passwords, credit card and banking information, and cryptocurrency wallet details. The tool, which officials say is developed in Russia, has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things. Microsoft's Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma's infrastructure. At the same time, the US Department of Justice seized Lumma's command and control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated, too, with disruption of regional Lumma infrastructure by Europol's European Cybercrime Center and Japan's Cybercrime Control Center. Microsoft lawyers wrote on Wednesday that Lumma, which is also known as LummaC2, has spread so broadly because it is "easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses." Steven Masada, assistant general counsel at Microsoft's DCU, says in a blog post that Lumma is a "go-to tool," including for the notorious Scattered Spider cybercriminal gang. Attackers distribute the malware using targeted phishing attacks that typically impersonate established companies and services, like Microsoft itself, to trick victims. "In 2025, probably following Redline's disruption and Lumma's own development, it has ranked as the most active module, indicating its growing popularity and widespread adoption among cybercriminals," says Victoria Kivilevich, director of threat research at security firm Kela. Microsoft says that more than 394,000 Windows computers were infected with the Lumma malware between March 16 and May 16 this year. And Lumma was mentioned in more than 21,000 listings on cybercrime forums in the spring of 2024, according to figures cited in a notice published today by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The malware has been spotted bundled in fake AI video generators, fake "deepfake" generation websites, and distributed by fake CAPTCHA pages. Law enforcement's collaboration with Microsoft's DCU and other tech companies like Cloudflare focused on disrupting Lumma's infrastructure in multiple ways, so its developers could not simply hire new providers or create parallel systems to rebuild. "Cloudflare's role in the disruption included blocking the command and control server domains, Lumma's Marketplace domains, and banning the accounts that were used to configure the domains," the company wrote in a blog post on Wednesday. "Microsoft coordinated the takedown of Lumma's domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control." While infostealing malware has been around for years, its use by cybercriminals and nation-state hackers has surged since 2020. Typically, infostealers find their way onto people's computers through downloads of pirated software or through targeted phishing attacks that impersonate established companies and services, like Microsoft itself, to trick victims. Once on a computer it is able to grab sensitive information -- such as usernames and passwords, financial information, browser extensions, multifactor authentication details and more -- and send it back to the malware's operators.

Law Enforcement Seize Domains Linked to Seed Phrase Stealing Malware LummaC2 - Decrypt

Lumma is linked to over 1.7 million theft attempts and active in 394,000 global infections, according to Microsoft Law enforcement agencies have seized key infrastructure linked to LummaC2, a malware operation that targeted millions of victims worldwide, including by stealing crypto wallet seed phrases, according to a U.S. Department of Justice announcement on Wednesday. The seizures were part of a coordinated international effort involving the DOJ, Europol, Japan's Cybercrime Control Center, Microsoft, and private cybersecurity partners. Following the initial DOJ seizure of two websites on May 19, Lumma administrators scrambled to establish three new domains, only to have those seized the next day. Microsoft additionally identified over 394,000 infections on Windows systems globally between March and May 2025. Through a civil action filed earlier this month, Microsoft's Digital Crimes Unit seized and disabled over 2,300 domains supporting Lumma's infrastructure. "Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft," said Matthew R. Galeotti, head of the DOJ's Criminal Division, in a statement. Malware isn't as popular as it once was. According to CrowdStrike's 2025 Global Threat Report, there has been a shift towards malware-free attacks over the past five years as attackers move to stealthier methods such as phishing, social engineering, access broker services, and trusted relationship abuse. Last year, 79% of attacks it detected were malware-free, compared to 40% in 2019. Nevertheless, that doesn't mean there aren't willing buyers for Malware-as-a-Service tools like Lumma, which allow relatively unsophisticated threat actors to access advanced capabilities. The FBI has identified its use in at least 1.7 million theft attempts using Lumma alone. Crypto wallets are common targets. Earlier this month, researchers identified fake AI bots spreading malware targeting crypto traders, while Inferno Drainer has stolen more than $9 million from wallets over the last six months. Launched in around 2022, Lumma has evolved through multiple iterations and is controlled by a Russian developer known online as "Shamel." Operating openly via Telegram and Russian-language forums, Shamel markets Lumma in tiered service packages that allow buyers to customize, distribute, and track stolen data. One notable campaign using Lumma involved fake emails impersonating Booking.com used to steal login credentials and empty bank accounts. The malware has also been linked to attacks on education systems, gaming communities, and critical infrastructure sectors, including healthcare and logistics. Its stealth and flexibility have made it a favored tool among high-profile ransomware groups such as Octo Tempest. Microsoft said it was continuing to monitor emerging variants of Lumma, warning that the malware remains a potent threat even as its core infrastructure is being dismantled.