Microsoft, in a sweeping global operation, has dismantled the infrastructure of Lumma Stealer, a notorious Malware-as-a-Service (MaaS) that infected over 394,000 Windows PCs worldwide between March 16 and May 16, 2025.
This information-stealing malware, first identified in 2022, targets browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, siphoning sensitive data such as passwords, credit card details, and cryptocurrency wallets.
Orchestrated by Microsoft’s Digital Crimes Unit (DCU) with support from the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center, the takedown seized 2,300 malicious domains and disrupted underground marketplaces.
As cybercriminals attempt to rebuild, Microsoft’s proactive measures and industry partnerships signal a robust defense against escalating cyber threats, with Lumma linked to ransomware, school breaches, and financial fraud.
Lumma Stealer: A Stealthy Cyber Threat
Lumma Stealer, also known as LummaC2, thrives due to its ease of distribution and ability to evade traditional security measures. Deployed through sophisticated spear-phishing campaigns and malvertising, it often masquerades as trusted brands like Microsoft or Booking.com.
In March 2025, a phishing scam impersonating Booking.com used Lumma to perpetrate financial fraud, while other campaigns leveraged fake AI video tools and cracked software like TradingView to spread infections.
Recent data reveals Lumma’s impact extends to 1.8 million devices in 2024, with a 12% surge in stolen credentials sold on dark web markets. Its versatility allows it to extract browser credentials, cryptocurrency wallet keys, and system metadata, making it a favorite among groups like Scattered Spider.
Did You Know?
Lumma Stealer’s developer, “Shamel,” boasted of 400 active clients in 2023, with subscription tiers ranging from $250 to $20,000 for access to the malware’s source code.
Global Takedown: A Collaborative Triumph
On May 13, 2025, Microsoft’s DCU secured a court order from the U.S. District Court of the Northern District of Georgia, enabling the seizure of 2,300 domains forming Lumma’s command-and-control backbone. Over 1,300 of these domains were sinkholed, redirecting traffic to Microsoft-controlled servers for monitoring and victim remediation.
The U.S. Department of Justice dismantled Luma’s central control panel, while Europol and Japan’s Cybercrime Control Center neutralized regional infrastructure. Industry partners, including Cloudflare, ESET, and Lumen, bolstered the effort by blocking servers and domains.
Despite this disruption, Microsoft warns that Lumma’s Russia-based developer, “Shamel,” who markets the malware on Telegram for $250-$1,000 subscriptions, is attempting to rebuild, illustrating the importance of ongoing vigilance.
ALSO READ | M&S Cyberattack: £300M Profit Hit Shakes Retail Sector
Protecting Users in a Digital Age
The takedown highlights the evolving cybercrime landscape, with infostealers like Lumma fueling high-profile breaches in education, healthcare, and finance. Microsoft’s Defender antivirus now detects LummaC2, offering protection across Windows, Office 365, and Endpoint platforms.
Experts recommend multi-factor authentication, updated anti-malware software, and caution with email links to thwart such threats.
The operation’s success, coupled with a 15% rise in global cybersecurity collaboration in 2025, sets a precedent for public-private partnerships in combating digital crime, though Lumma’s resilience suggests the fight is far from over.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!