Authorities Carry Out Elaborate Global Takedown of Infostealer Heavily Used by Cybercriminals

A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls “cyber threat actors” to steal passwords, credit card and banking information, and cryptocurrency wallet details. The tool, which officials say is developed in Russia, has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things.

Microsoft’s Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma’s infrastructure. At the same time, the US Department of Justice seized Lumma’s command and control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated, too, with disruption of regional Lumma infrastructure by Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center.

Microsoft lawyers wrote on Wednesday that Lumma, which is also known as LummaC2, has spread so broadly because it is “easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses.” Steven Masada, assistant general counsel at Microsoft’s DCU, says in a blog post that Lumma is a “go-to tool,” including for the notorious Scattered Spider cybercriminal gang. Attackers distribute the malware using targeted phishing attacks that typically impersonate established companies and services, like Microsoft itself, to trick victims.

“In 2025, probably following Redline’s disruption and Lumma’s own development, it has ranked as the most active module, indicating its growing popularity and widespread adoption among cybercriminals,” says Victoria Kivilevich, director of threat research at security firm Kela.

Microsoft says that more than 394,000 Windows computers were infected with the Lumma malware between March 16 and May 16 this year. And Lumma was mentioned in more than 21,000 listings on cybercrime forums in the spring of 2024, according to figures cited in a notice published today by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The malware has been spotted bundled in fake AI video generators, fake “deepfake” generation websites, and distributed by fake CAPTCHA pages.

Law enforcement’s collaboration with Microsoft’s DCU and other tech companies like Cloudflare focused on disrupting Lumma’s infrastructure in multiple ways, so its developers could not simply hire new providers or create parallel systems to rebuild.

“Cloudflare’s role in the disruption included blocking the command and control server domains, Lumma’s Marketplace domains, and banning the accounts that were used to configure the domains,” the company wrote in a blog post on Wednesday. “Microsoft coordinated the takedown of Lumma’s domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control.”

While infostealing malware has been around for years, its use by cybercriminals and nation-state hackers has surged since 2020. Typically, infostealers find their way onto people’s computers through downloads of pirated software or through targeted phishing attacks that impersonate established companies and services, like Microsoft itself, to trick victims. Once on a computer it is able to grab sensitive information—such as usernames and passwords, financial information, browser extensions, multifactor authentication details and more—and send it back to the malware’s operators.

Some infostealer operators bundle and sell this stolen data. But increasingly the compromised details have acted as a gateway for hackers to launch further attacks, providing them with the details needed to access online accounts and the networks of multi-billion dollar corporations.

“It’s clear that infostealers have become more than just grab-and-go malware,” says Patrick Wardle, CEO of the Apple device-focused security firm DoubleYou. “In many campaigns they really act as the first stage, collecting credentials, access tokens, and other foothold-enabling data, which is then used to launch more traditional, high-impact attacks such as lateral movement, espionage, or ransomware.”

The Lumma infostealer first emerged on Russian-language cybercrime forums in 2022, according to the FBI and CISA. Since then its developers have upgraded its capabilities and released multiple different versions of the software.

Since 2023, for example, they have been working to integrate AI into the malware platform, according to findings from the security firm Trellix. Attackers want to add these capabilities to automate some of the work involved in cleaning up the massive amounts of raw data collected by infostealers, including identifying and separating “bot” accounts that are less valuable for most attackers.

One administrator of Lumma told 404Media and WIRED last year that they encouraged both seasoned hackers and new cybercriminals to use their software. “This brings us good income,” the administrator said, referring to the resale of stolen login data.

Microsoft says that the main developer behind Lumma goes by the online handle “Shamel” and is based in Russia.

“Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums,” Microsoft’s Masada wrote on Wednesday. “Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal.”

Kela’s Kivilevich says that in the days leading up to the takedown, some cybercriminals started to complain on forums that there had been problems with Lumma. They even speculated that the malware platform had been targeted in a law enforcement operation.

“Based on what we see, there is a wide range of cybercriminals admitting they are using Lumma, such as actors involved in credit card fraud, initial access sales, cryptocurrency theft, and more,” Kivilevich says.

Among other tools, the Scattered Spider hacking group—which has attacked Caesars Entertainment, MGM Resorts International, and other victims—has been spotted using the Lumma stealer. Meanwhile, according to a report from TechCrunch, the Lumma malware was allegedly used in the build up to the December 2024 hack of education tech firm PowerSchool, in which more than 70 million records were stolen.

“We’re now seeing infostealers not just evolve technically, but also play a more central role operationally,” says DoubleYou’s Wardle. “Even nation-state actors are developing and deploying them.”

Ian Gray, director of analysis and research at the security firm Flashpoint, says that while infostealers are only one tool that cybercriminals will use, their prevalence may make it easier for cybercriminals to hide their tracks. “Even advanced threat actor groups are leveraging infostealer logs, or they risk burning sophisticated tactics, techniques, and procedures (TTPs),” Gray says.

Lumma isn’t the first infostealer to be targeted by law enforcement. In October last year, the Dutch National Police, along with international partners, took down the infrastructure linked to the RedLine and MetaStealer malware, and the US Department of Justice unsealed charges against Maxim Rudometov, one of the alleged developers and administrators of the RedLine infostealer.

Despite the international crackdown, infostealers have proven too useful and effective for attackers to abandon. As Flashpoint’s Gray puts it, “Even if the landscape ultimately shifts due to the evolution of defenses, the growing prominence of infostealers over the past few years suggests they are likely here to stay for the foreseeable future. Usage of them has exploded.”