{"id":3290,"date":"2025-05-22T12:29:52","date_gmt":"2025-05-22T12:29:52","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3290"},"modified":"2025-05-22T12:29:52","modified_gmt":"2025-05-22T12:29:52","slug":"feds-and-microsoft-crush-lumma-stealer-that-stole-millions-of-passwords","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3290","title":{"rendered":"Feds and Microsoft crush Lumma Stealer that stole millions of passwords"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Microsoft and the US Department of Justice have dismantled one of the world\u2019s largest cybercrime operations, seizing over 2,300 malicious domains and shutting down the Lumma Stealer malware that infected nearly 400,000 computers worldwide.<\/p>\n

The coordinated takedown targeted a Russian-led criminal enterprise that had become the weapon of choice for hundreds of cybercriminals seeking to steal passwords, credit card numbers, and cryptocurrency wallets. Europol\u2019s European Cybercrime Center (EC3), Japan\u2019s Cybercrime Control Center (JC3), and multiple private sector partners also played critical roles in the effort, Microsoft announced in a blog post.<\/p>\n

The Lumma infostealer <\/a>operation was so sophisticated it ran like a subscription business, complete with customer support and a cheerful marketing slogan: \u201cmaking money with us is just as easy.\u201d<\/p>\n

A global strike on a malware-as-a-service giant<\/h2>\n

LummaC2, also known simply as Lumma, is a sophisticated Malware-as-a-Service<\/a> (MaaS) sold on underground forums since 2022. It enables threat actors to steal login credentials, credit card information, cryptocurrency wallet data, and other sensitive digital assets.<\/p>\n

In the blog, Microsoft revealed that between March 16 and May 16 this year, it detected over 394,000 Windows devices globally infected by Lumma. The malware\u2019s reach spans across industries and geographies \u2014 from critical infrastructure and education systems to financial institutions and gaming communities.<\/p>\n

\u201cLumma has become a go-to tool for cybercriminals and ransomware operators, including the notorious Octo Tempest group,\u201d Microsoft stated in the blog post, emphasizing the malware\u2019s evasive capabilities and ease of use. It often spreads via phishing campaigns, fake ads, and impersonation of trusted brands like Booking.com and Microsoft itself.<\/p>\n

The DOJ statement also mentioned that the FBI had detected more than 1.7 million instances where LummaC2 was used to harvest credentials and other sensitive information.<\/p>\n

Microsoft worked with cybersecurity partners, including ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry, to dismantle Lumma\u2019s infrastructure.<\/p>\n

More than 1,300 of the domains seized or transferred to Microsoft are now being redirected to \u201csinkholes\u201d \u2014 systems designed to safely collect information from infected devices. This enables Microsoft to gather intelligence on ongoing threats and help victims recover, while also preventing further malware communication.<\/p>\n

\u201cThis joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits,\u201d Microsoft noted.<\/p>\n

2,300 domains neutralized, command infrastructure seized<\/h2>\n

As part of the legal action filed in the US District Court for the Northern District of Georgia, Microsoft secured authorization to seize and disrupt a core component of Lumma\u2019s ecosystem: its domain infrastructure. These domains acted as communication nodes between infected devices and the malware\u2019s operators.<\/p>\n

According to the DOJ press release, its unsealed warrants targeted five critical domains, referred to as \u201cuser panels,\u201d used by Lumma administrators and affiliates to deploy malware and manage stolen data. On May 19 and 20, federal agents successfully seized all five.<\/p>\n

Following the takedown, visitors to the seized sites now see a DOJ seizure notice, effectively shutting down access to Lumma\u2019s control interfaces.<\/p>\n

Criminal innovation: Lumma\u2019s rise and reach<\/h2>\n

The creator of Lumma, known online as \u201cShamel,\u201d operates from Russia and has marketed the malware through Telegram and other Russian-language forums. Shamel branded the malware with a bird logo and the tagline: \u201cmaking money with us is just as easy.\u201d<\/p>\n

A November 2023 interview with a researcher known as \u201cg0njxa\u201d revealed that Lumma had \u201cabout 400 active clients,\u201d highlighting the professionalization of cybercrime, where tools like Lumma mimic software-as-a-service models with tiered pricing and affiliate support.<\/p>\n

Looking ahead: Heightened vigilance needed<\/h2>\n

Despite the takedown, experts caution that Lumma and similar malware-as-a-service operations could resurface under new names or reconstituted infrastructure. The operation underscores the persistent threat posed by cybercriminals operating from jurisdictions that provide a safe haven or lack strong enforcement mechanisms.<\/p>\n

\u201cThis action makes it harder, and more painful, for cybercriminals to operate,\u201d Bryan Vorndran, assistant director of the FBI\u2019s cyber division, said in the press release.<\/p>\n

While the disruption is a major win, the threat landscape remains volatile. As attackers adapt, the global cybersecurity community must maintain its vigilance and deepen cross-sector collaboration to defend against an ever-evolving enemy.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Microsoft and the US Department of Justice have dismantled one of the world\u2019s largest cybercrime operations, seizing over 2,300 malicious domains and shutting down the Lumma Stealer malware that infected nearly 400,000 computers worldwide. The coordinated takedown targeted a Russian-led criminal enterprise that had become the weapon of choice for hundreds of cybercriminals seeking to […]<\/p>\n","protected":false},"author":0,"featured_media":3289,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3290","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3290"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3290"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3290\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3289"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}