In a significant move to combat cybercrime, Microsoft has partnered with the U.S. Department of Justice (DOJ) to dismantle Lumma Stealer, one of the most notorious cybercrime tools currently in circulation. Together with Europol and various global cybersecurity firms, Microsoft’s Digital Crimes Unit (DCU) successfully disrupted the Lumma Stealer malware network, a malware-as-a-service (MaaS) platform linked to hundreds of thousands of digital breaches across the globe.
Between March and mid-May 2025, Microsoft reported that Lumma Stealer had infected over 394,000 Windows machines. This malware has been a go-to choice for cybercriminals aiming to steal login credentials and sensitive financial information—including cryptocurrency wallets. The DOJ notes that the FBI has identified at least 1.7 million instances in which LummaC2 was utilized for data theft.
Through a court order from the U.S. District Court for the Northern District of Georgia, Microsoft took down approximately 2,300 malicious domains connected to Lumma’s infrastructure. Concurrently, the DOJ dismantled five critical LummaC2 domains that served as command-and-control centers for cybercriminals. These domains now lead to government seizure notices.
International collaboration played a vital role, with Europol’s European Cybercrime Centre and Japan’s JC3 facilitating efforts to block regional servers. Cybersecurity firms such as Bitsight, Cloudflare, ESET, Lumen, CleanDNS, and GMO Registry assisted in identifying and dismantling the associated web infrastructure.
Understanding the Lumma Operation
Lumma, also referred to as LummaC2, has been active since at least 2022. This info-stealing malware is sold through encrypted forums and Telegram channels and is designed for ease of use. Often bundled with obfuscation tools, Lumma is adept at bypassing antivirus software. Distribution methods include:
- Spear-phishing emails
- Spoofed brand websites
- Malicious online ads (malvertising)
Cybersecurity experts deem Lumma particularly menacing because it allows criminals to rapidly scale their attacks. Buyers can customize malware payloads, track stolen data, and even receive customer support via a dedicated user panel. Microsoft Threat Intelligence has previously linked Lumma to the notorious Octo Tempest gang, also known as “Scattered Spider.” In a recent phishing campaign, hackers spoofed Booking.com to harvest financial credentials from unsuspecting victims.
Who Is Behind Lumma?
Authorities believe that “Shamel,” who operates from Russia, is the developer behind Lumma. In a 2023 interview, Shamel claimed to have around 400 active clients and even touted the ease of making money through Lumma, featuring a dove logo paired with the slogan: “Making money with us is just as easy.”
Long-term Disruption Strategy
While this takedown represents a significant achievement, experts caution that Lumma and similar tools are seldom eradicated entirely. Microsoft and the DOJ assert that these actions considerably disrupt criminal operations by severing their infrastructure and revenue channels. The seized domains will be utilized as sinkholes for gathering intelligence and enhancing victim protection.
This operation underscores the imperative for international cooperation in cybercrime enforcement. DOJ officials highlighted the importance of public-private partnerships, while the FBI reiterated that court-authorized actions are crucial in the government’s cybersecurity arsenal.
As Microsoft’s DCU continues this vital work, the Lumma crackdown sets a strong example of what can be achieved when industry and government specialists unite to tackle threats effectively.
How can you protect yourself against such cyber threats? Regularly changing your passwords and avoiding links from unknown senders are effective precautionary measures.
What is Lumma malware, and why is it dangerous? Lumma, or LummaC2, is an info-stealing malware that enables cybercriminals to steal sensitive information rapidly. Its user-friendly design allows easy distribution and use.
How do cybercriminals distribute Lumma? Cybercriminals use various methods, including phishing emails, spoofed websites, and malvertising, to distribute Lumma and infect potential victims.
Is Lumma connected to any notorious cybercrime gangs? Yes, Lumma has been linked to the Octo Tempest gang, also known as “Scattered Spider,” known for sophisticated cyber-attacks.
Who is responsible for developing Lumma? Authorities believe that the developer of Lumma operates under the alias “Shamel,” primarily based in Russia.
Curious about staying ahead of cyber threats? Continue exploring related content on Moyens I/O to arm yourself with the latest cybersecurity strategies.