Disruption of Lumma Infostealer Malware Operation: Seizure of 2,300 Domains

Earlier this month, a highly coordinated disruption effort targeted the Lumma malware-as-a-service (MaaS) information stealer operation, resulting in the seizure of thousands of domains and a significant portion of its global infrastructure.

This operation, a collaboration between multiple technology companies and law enforcement agencies, culminated in Microsoft’s seizure of approximately 2,300 domains following legal measures taken against the malware on May 13, 2025. Concurrently, the U.S. Department of Justice disrupted marketplaces utilizing the malware by seizing Lumma’s control panel. Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) further contributed to the operation by seizing Lumma’s infrastructure located in Europe and Japan.

“Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by Lumma malware. Through collaboration with law enforcement and industry partners, we successfully severed communications between the malware and its victims,” stated Steven Masada, Assistant General Counsel of Microsoft’s Digital Crimes Unit.

The disruption of the Lumma Stealer operation significantly hampers the operators’ access to their control panel, the marketplace for stolen data, and the internet infrastructure essential for data collection and management. These actions impose both operational and financial constraints on the Lumma operators and their clientele, compelling them to seek alternative infrastructures for their illicit activities.

In addition to Microsoft, other companies involved in this joint effort include ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and global law firm Orrick.

Cloudflare reported that Lumma Stealer exploited their services to obscure the origin IP addresses of servers used to collect stolen credentials and data. Despite the suspension of domains associated with this operation, the malware managed to circumvent Cloudflare’s interstitial warning page, prompting additional measures to prevent data exfiltration. “Cloudflare’s Trust and Safety team consistently flagged domains used by the criminals and suspended their accounts,” as revealed by a Cloudflare report. In response to Lumma bypassing Cloudflare’s warning system in February 2025, a new protective measure, the Turnstile service, was implemented to reinforce the security protocols.

Overview of Lumma Malware

Lumma, also referred to as LummaC2, is a malware-as-a-service information stealer designed to target Windows and macOS systems, which can be rented by cybercriminals for subscription fees ranging from $250 to $1,000. The malware possesses advanced evasion and data theft capabilities and is commonly distributed through various channels, including GitHub comments, deepfake nude generator sites, and malvertising tactics to infect users.

Once a system is compromised, Lumma can gather sensitive data from web browsers and applications, including cryptocurrency wallets, cookies, credentials, passwords, credit card information, and browsing history from popular browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. The exfiltrated data is archived and transmitted to attacker-controlled servers, where it is sold on cybercrime marketplaces or exploited in further attacks.

Introduced to cybercrime forums in December 2022, Lumma gained significant traction among cybercriminals within a few months. According to IBM X-Force’s 2025 threat intelligence report, there has been a 12% increase in the availability of stolen credentials from infostealers on the dark web over the past year. This follows a staggering 84% rise in infostealer deliveries via phishing, with Lumma emerging as the most prevalent option.

Lumma has been implicated in extensive malvertising campaigns affecting hundreds of thousands of PCs and has been deployed by notorious threat groups, including the Scattered Spider cybercrime collective. Furthermore, data harvested from this information-stealing malware has contributed to significant security breaches affecting numerous organizations.

The stolen credentials not only facilitate corporate network breaches but have also been used to manipulate network routing information, leading to incidents of chaos, as evidenced by the hijacking of a RIPE account to disrupt BGP routing and RPKI configurations.

The recent concerted effort to dismantle Lumma’s operation marks a critical stride in cybersecurity, underscoring the ongoing challenge posed by such sophisticated cybercriminal infrastructures and the need for continued vigilance in the digital landscape.