Microsoft and the US Department of Justice have dismantled one of the world’s largest cybercrime operations, seizing over 2,300 malicious domains and shutting down the Lumma Stealer malware that infected nearly 400,000 computers worldwide.
The coordinated takedown targeted a Russian-led criminal enterprise that had become the weapon of choice for hundreds of cybercriminals seeking to steal passwords, credit card numbers, and cryptocurrency wallets. Europol’s European Cybercrime Center (EC3), Japan’s Cybercrime Control Center (JC3), and multiple private sector partners also played critical roles in the effort, Microsoft announced in a blog post.
The Lumma infostealer operation was so sophisticated it ran like a subscription business, complete with customer support and a cheerful marketing slogan: “making money with us is just as easy.”
A global strike on a malware-as-a-service giant
LummaC2, also known simply as Lumma, is a sophisticated Malware-as-a-Service (MaaS) sold on underground forums since 2022. It enables threat actors to steal login credentials, credit card information, cryptocurrency wallet data, and other sensitive digital assets.
In the blog, Microsoft revealed that between March 16 and May 16 this year, it detected over 394,000 Windows devices globally infected by Lumma. The malware’s reach spans across industries and geographies — from critical infrastructure and education systems to financial institutions and gaming communities.
“Lumma has become a go-to tool for cybercriminals and ransomware operators, including the notorious Octo Tempest group,” Microsoft stated in the blog post, emphasizing the malware’s evasive capabilities and ease of use. It often spreads via phishing campaigns, fake ads, and impersonation of trusted brands like Booking.com and Microsoft itself.
The DOJ statement also mentioned that the FBI had detected more than 1.7 million instances where LummaC2 was used to harvest credentials and other sensitive information.
Microsoft worked with cybersecurity partners, including ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry, to dismantle Lumma’s infrastructure.
More than 1,300 of the domains seized or transferred to Microsoft are now being redirected to “sinkholes” — systems designed to safely collect information from infected devices. This enables Microsoft to gather intelligence on ongoing threats and help victims recover, while also preventing further malware communication.
“This joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits,” Microsoft noted.
2,300 domains neutralized, command infrastructure seized
As part of the legal action filed in the US District Court for the Northern District of Georgia, Microsoft secured authorization to seize and disrupt a core component of Lumma’s ecosystem: its domain infrastructure. These domains acted as communication nodes between infected devices and the malware’s operators.
According to the DOJ press release, its unsealed warrants targeted five critical domains, referred to as “user panels,” used by Lumma administrators and affiliates to deploy malware and manage stolen data. On May 19 and 20, federal agents successfully seized all five.
Following the takedown, visitors to the seized sites now see a DOJ seizure notice, effectively shutting down access to Lumma’s control interfaces.
Criminal innovation: Lumma’s rise and reach
The creator of Lumma, known online as “Shamel,” operates from Russia and has marketed the malware through Telegram and other Russian-language forums. Shamel branded the malware with a bird logo and the tagline: “making money with us is just as easy.”
A November 2023 interview with a researcher known as “g0njxa” revealed that Lumma had “about 400 active clients,” highlighting the professionalization of cybercrime, where tools like Lumma mimic software-as-a-service models with tiered pricing and affiliate support.
Looking ahead: Heightened vigilance needed
Despite the takedown, experts caution that Lumma and similar malware-as-a-service operations could resurface under new names or reconstituted infrastructure. The operation underscores the persistent threat posed by cybercriminals operating from jurisdictions that provide a safe haven or lack strong enforcement mechanisms.
“This action makes it harder, and more painful, for cybercriminals to operate,” Bryan Vorndran, assistant director of the FBI’s cyber division, said in the press release.
While the disruption is a major win, the threat landscape remains volatile. As attackers adapt, the global cybersecurity community must maintain its vigilance and deepen cross-sector collaboration to defend against an ever-evolving enemy.
No Responses