A coalition of US, European, and Japanese authorities, in collaboration with major tech companies such as Microsoft and Cloudflare, has successfully disrupted an infostealer malware known as Lumma. This malware, widely used by cybercriminals, has been implicated in the theft of passwords, credit card information, banking details, and cryptocurrency wallets. Originating from Russia, Lumma has enabled various cybercriminal operations including the draining of bank accounts and data extortion campaigns.
Microsoft’s Digital Crimes Unit (DCU) obtained a court order to take down approximately 2,300 domains that were critical to Lumma’s infrastructure. The US Department of Justice also seized command-and-control servers and dismantled cybercriminal marketplaces linked to this malware, with assistance from Europol and Japan’s Cybercrime Control Center.
Lumma, also referred to as LummaC2, gained popularity because it is easy to distribute and difficult to detect, often being programmed to evade security measures. The malware gained traction through targeted phishing scams, often masquerading as established organizations like Microsoft. In 2025 alone, Microsoft reported over 394,000 infections across Windows computers attributable to Lumma, which had been widely mentioned on cybercrime forums.
The collaborative effort aimed to not only disrupt Lumma’s current operations but to inhibit the malware’s developers from quickly reestablishing their network through alternative infrastructure. Cloudflare contributed significantly by blocking command-and-control server domains and banning related accounts to prevent recovery of control.
Cybercriminals frequently utilize infostealers like Lumma not just for immediate financial gain but as tools for larger operations, gathering sensitive data that can facilitate further hacking attacks. The malware first appeared in 2022 and has seen continuous enhancements, including efforts to integrate AI capabilities to streamline the extraction and organization of compromised data.
The main developer of Lumma, known by the alias “Shamel,” conducted operations through various online forums, selling different service tiers that enabled users to customize their malware experience. Even prior to the takedown, some users on cybercriminal forums expressed concern about potential law enforcement actions targeting Lumma.
The recent disruption is part of a broader trend where law enforcement agencies are increasingly coordinating efforts to tackle infostealers, emphasizing that despite these setbacks, their prominence continues to grow in cybercrime. While Lumma is one of the most significant malware threats taken down recently, it underscores the ongoing challenges in combating sophisticated cybercriminal tactics, particularly as infostealers become integral to many hacking operations.
For more information, see:
