Microsoft, in a significant collaboration with the U.S. Department of Justice (DOJ), has executed a major operation to dismantle the Lumma Stealer malware network, a highly active cybercrime tool. This malware-as-a-service (MaaS) platform has been implicated in extensive digital breaches globally, impacting hundreds of thousands of systems using the Lumma Stealer malware.
The Scope and Takedown of Lumma Stealer
Microsoft reported Lumma Stealer malware compromised over 394,000 Windows systems between March and mid-May 2025. Cybercriminals widely used it for stealing login credentials, financial data, cryptocurrency wallets, and for extortion campaigns. The DOJ confirmed the FBI identified at least 1.7 million instances of LummaC2 data theft.
Under a U.S. court order, Microsoft disabled around 2,300 malicious Lumma domains. Simultaneously, the DOJ seized five key LummaC2 command-and-control domains. International partners like Europol, Japan’s JC3, and various cybersecurity firms including Bitsight, Cloudflare, ESET, Lumen, CleanDNS, and GMO Registry assisted in dismantling its web infrastructure, highlighting a coordinated global effort.
Modus Operandi: How Lumma Stealer Functioned
Operational since at least 2022, Lumma (or LummaC2) marketed its info-stealing malware on encrypted forums and Telegram. Designed for ease of use, it often included obfuscation tools to evade antivirus detection. Common distribution methods were spear-phishing emails, counterfeit brand websites, and malicious online ads or “malvertising.”
Researchers note Lumma’s danger in enabling rapid attack scaling. Buyers could customize payloads, track stolen data, and access support via a user panel. Microsoft Threat Intelligence previously linked Lumma to the notorious Octo Tempest gang (also known as “Scattered Spider”). One notable campaign involved spoofing Booking.com to steal financial details. [internal_links]
The Alleged Architect of Lumma: “Shamel”
Authorities believe the developer behind Lumma, using the alias “Shamel,” operates from Russia. In a 2023 interview, an individual claiming to be Shamel mentioned having 400 active clients. They also reportedly took pride in Lumma’s branding, featuring a dove logo and the slogan: “Making money with us is just as easy.”
A Major Blow, But Not a Final Victory
This takedown significantly hinders Lumma, though experts warn that such malware operations are rarely eliminated completely. However, Microsoft and the DOJ affirm these actions severely disrupt criminal activities by targeting their infrastructure and revenue. Microsoft will use seized domains as sinkholes for intelligence gathering and victim protection.
DOJ FBI domain seizure notice displayed after Lumma Stealer malware infrastructure takedown
This collaborative success underscores the critical role of international cooperation and public-private partnerships in combating cybercrime, as emphasized by DOJ officials and the FBI.
The coordinated takedown of the Lumma Stealer network marks a significant victory against cybercrime, showcasing the power of collaborative efforts between government and industry. As Microsoft’s Digital Crimes Unit continues its work, this action sets a precedent for future threat elimination. However, users must remain vigilant: regularly update passwords and be cautious about clicking links from unverified sources to protect themselves.
