In a major win for cybersecurity, Microsoft and global law enforcement partners have shut down the Lumma Stealer malware operation, seizing over 2,300 domains that made up its command-and-control network. This takedown also blocked dark web marketplaces where cybercriminals rented the malware for credential theft and financial fraud.
The action—powered by a U.S. court order and coordinated with Europol and Japan’s Cybercrime Control Center (JC3)—has dismantled one of the most active malware-as-a-service (MaaS) platforms in recent years. Microsoft’s Digital Crimes Unit has now sinkholed more than 1,300 of the seized domains, redirecting infected systems to safe infrastructure for cleanup and analysis.
The U.S. Justice Department took down the central control panel running Lumma, while law enforcement partners in Europe and Asia tracked and eliminated residual infrastructure. The scale of the threat was significant: in a recent 60-day period, Microsoft found over 394,000 Windows machines still actively communicating with Lumma servers. Victims included everything from small schools to large multinational firms.
What Is Lumma Stealer and How It Worked
First spotted on Russian-language forums in 2022, Lumma Stealer emerged as a low-cost infostealer kit sold on a subscription basis. Cybercriminals could pay for different tiers, generate custom payloads, and launch attacks using spear-phishing emails, fake ads (malvertising), and infected websites.
The malware was designed to harvest a wide array of sensitive information:
- Browser passwords and cookies from Chromium (Chrome, Edge), Firefox, and Gecko-based browsers
- Autofill data and session tokens
- Cold wallet credentials for MetaMask, Electrum, and Exodus
- VPN configs (.ovpn), email clients, FTP credentials, and Telegram data
- Local files such as .pdf, .docx, .rtf from common user directories
- System metadata including CPU, OS version, locale, and installed apps
Microsoft noted that this data is usually sold on dark web forums or used in ransomware attacks and data extortion. What made Lumma especially dangerous was its ability to bypass some security tools, making it hard to detect and easy to spread.
Who Was Behind It?
According to Microsoft, the person behind Lumma is a Russian developer known as “Shamel”, who promoted the service on Telegram and cybercrime forums. In a 2023 interview, Shamel claimed to have around 400 active clients, with license fees ranging from $250 to $20,000, depending on access level—including an option to purchase the full source code.
Unlike earlier infostealers that relied mostly on spam, Lumma used a multi-vector delivery model. Its operators were skilled at impersonating legitimate sources and crafting tailored attacks, which made the malware even more effective.
With its infrastructure dismantled and domain traffic rerouted to safe servers, the Lumma operation is now effectively crippled. But Microsoft warns that the volume of infected systems remains high, and urges organizations to:
- Run malware scans immediately
- Check logs for contact with Lumma domains
- Update endpoint protection and browser security settings
- Educate users about phishing, malvertising, and suspicious downloads
Steven Masada, Assistant General Counsel in Microsoft’s Digital Crimes Unit, summed it up: “Lumma was cheap, stealthy, and effective. Taking it down disrupts a major tool in the cybercriminal playbook.”
This takedown is part of Microsoft’s broader push to dismantle cybercrime-as-a-service ecosystems, and it sends a clear signal: even well-hidden malware operations are not beyond reach.
