In a coordinated global operation announced on May 21, 2025, law enforcement and cybersecurity partners have successfully disrupted the infrastructure behind Lumma Stealer, one of the most prolific information-stealing malware operations targeting users worldwide.
The Justice Department, in conjunction with Microsoft and other cybersecurity partners, seized approximately 2,300 internet domains used to operate this sophisticated malware-as-a-service (MaaS) platform that has affected millions of victims across the globe.
Lumma Stealer, also known as LummaC2, emerged as one of the most active infostealers in the cybercrime ecosystem over the past two years.
.png
)
The malware has been used to harvest sensitive data including browser credentials, cryptocurrency wallet information, and banking details.
According to court documents, the FBI identified at least 1.7 million instances where LummaC2 was deployed to steal user information, with the stolen data subsequently sold on underground marketplaces.
ESET researchers and Justice Department analysts identified that Lumma Stealer operates on a tiered subscription model, with prices ranging from $250 to $1,000 per month.
This business model allowed cybercriminals to purchase access to the malware and its infrastructure, with different tiers offering increasingly sophisticated features for data theft and evasion capabilities.
Higher-tier subscriptions provided criminals with custom data collection tools, improved evasion techniques, and early access to new features.
The operation involved collaboration between multiple entities including ESET, Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry.
The Justice Department specifically seized five critical domains that served as user panels, effectively preventing Lumma Stealer administrators and their clients from accessing the command and control infrastructure.
.webp)
Meanwhile, Microsoft’s independent civil action targeted the broader network of 2,300 domains used by the operation.
“The Department will continue to use its unique tools, authorities, and partnerships to disrupt malicious cyber operations and criminal networks,” said Sue J. Bai, head of the Justice Department’s National Security Division, highlighting the significance of this disruption in protecting the public from cybersecurity threats.
Technical Infrastructure and Evasion Mechanisms
Lumma Stealer’s technical sophistication made it particularly dangerous and difficult to detect.
ESET’s analysis revealed that the malware employs complex encryption methods that evolved significantly over time.
Until January 2025, the command and control (C&C) domains in Lumma Stealer samples were protected by XOR encryption and base64 encoding.
.webp)
The first 32 bytes of the decoded string served as an XOR key, with the remaining bytes containing the encrypted domain.
In January 2025, the operators transitioned to ChaCha20 encryption with a single hardcoded key and nonce for protecting the C&C list, as shown in the decompiled code:-
.rdata:04ABF238 m_chacha_key dd 8F321C69h
.rdata:04ABF23C dd 97C54A28h
.rdata:04ABF240 dd 4F339FCDh
.rdata:04ABF244 dd 5E73F966h
.rdata:04ABF248 dd 4691804Bh
.rdata:04ABF24C dd 0C934B9Eh
.rdata:04ABF250 dd 9FD7D107h
.rdata:04ABF254 dd 4B84DF13h
.rdata:04ABF258 m_chacha_nonce dd 39479DA5hPerhaps most ingeniously, Lumma Stealer incorporated fallback mechanisms using “dead-drop resolvers” through seemingly innocent Steam profiles and Telegram channels.
.webp)
If the primary C&C servers failed to respond, the malware would extract backup C&C URLs from Steam profile names or Telegram channel titles, with the data protected by a simple Caesar cipher (ROT11).
This resilient infrastructure design allowed the operation to maintain persistence even when portions of their network were compromised.
The disruption operation marks a significant blow to the cybercriminal ecosystem, removing a major tool used for initial access in many cyberattacks.
According to ESET’s telemetry data, Lumma Stealer left no part of the world untouched, with a consistent global presence that peaked in early 2025.
FBI Assistant Director Bryan Vorndran emphasized, “We took action against the most popular infostealer service available in online criminal markets.
Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels, making it harder and more painful for cybercriminals to operate.”
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
