Global operation takes down world’s largest infostealer tool used to steal passwords, bank data, and crypto wallets
Microsoft has announced the takedown of the Lumma Stealer malware operation, a prolific cybercrime tool that infected more than 394,000 Windows computers globally between March 16 and May 16. Working in concert with law enforcement agencies in the US, Europe, and Japan, Microsoft’s Digital Crimes Unit (DCU) helped to seize 2,300 domains and sever the infrastructure enabling Lumma’s widespread theft of passwords, bank details, credit cards, and cryptocurrency wallets.
Lumma Stealer—described by Microsoft as a “Malware-as-a-Service” (MaaS)—has been sold via underground forums since at least 2022. It enabled threat actors to extract sensitive data from infected systems and profit through resale or further exploitation. Its ease of use, ability to bypass some security defences, and adaptability made it the go-to tool for cybercriminals and ransomware gangs such as Octo Tempest, also known as Scattered Spider.
The operation, coordinated by Microsoft and supported by the US Department of Justice, Europol, and Japan’s Cybercrime Control Center, led to the seizure of Lumma’s central command structure and the takedown of online marketplaces where the malware was sold. Europol described the takedown as a landmark example of public-private cooperation, with Microsoft also receiving assistance from cybersecurity companies including Cloudflare, Bitsight, Lumen, ESET, and CleanDNS.
“This operation is a clear example of how public-private partnerships are transforming the fight against cybercrime,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre.
Microsoft said 1,300 of the seized or transferred domains will now redirect to “sinkholes,” allowing its security teams to monitor and help protect users who were previously compromised. The company also noted that Lumma was linked to attacks across education, healthcare, manufacturing, finance, and logistics sectors.
What is Lumma Stealer?
Lumma Stealer, also known as LummaC2, was developed by a Russian hacker operating under the alias “Shamel.” It was sold on a tiered subscription basis via Telegram and Russian-language cybercrime forums. Subscribers could customise the malware, build new variants, and track stolen data using a control panel.
Highly modular and stealthy, Lumma was capable of:
- Harvesting browser passwords, session cookies, and autofill data.
- Stealing data from cryptocurrency wallets such as MetaMask, Electrum, and Exodus.
- Extracting documents and credentials from email clients, VPNs, and FTP software.
- Profiling victim systems to assist in further exploitation.
The malware also featured advanced techniques like process injection, memory-only execution, and evasion of behavioural monitoring tools. It was distributed through multiple vectors including phishing emails, malvertising, drive-by downloads, pirated software, and fake CAPTCHAs that tricked users into executing malicious code via Windows’ Run prompt.
In one campaign identified in March 2025, hackers used Lumma to impersonate Booking.com in phishing emails. Other attacks targeted gaming communities, universities, and critical infrastructure operators.
Technical sophistication and evolving threats
Microsoft’s detailed breakdown of the malware’s command-and-control (C2) infrastructure showed a multi-tiered and encrypted communication system that used Telegram and Steam as fallbacks to hide C2 domains. The malware evolved through at least six major versions, each introducing new obfuscation methods, modified protocols, and plugin support for additional capabilities such as clipboard hijacking and cryptojacking.
The company noted that while some domains and servers have been neutralised, Lumma’s design allows for rapid reconstitution—a reality that underscores the ongoing threat posed by MaaS ecosystems.
“The growth and resilience of Lumma Stealer highlights the broader evolution of cybercrime and underscores the need for layered defences and industry collaboration,” Microsoft said.
Recommendations and future steps
To defend against similar threats, Microsoft recommends organisations:
- Enable tamper protection, web protection, and endpoint detection in block mode via Microsoft Defender.
- Enforce multi-factor authentication (MFA) and favour phishing-resistant methods.
- Monitor for suspicious PowerShell, mshta, and Run prompt activity.
- Restrict use of known abuse tools and enforce AppLocker policies where possible.
The FBI is continuing its investigation, and the Department of Justice has seized five additional domains tied to Lumma’s operations.
Microsoft’s DCU said it would continue innovating and collaborating to disrupt cybercrime and protect users worldwide. The takedown of Lumma follows a string of similar actions against malware networks, signalling a more proactive stance by tech firms and governments in combating cyber threats at scale.
