Microsoft and Authorities Collaborate in International Takedown of Lumma Stealer

An international operation has dismantled the 'Lumma' infrastructure, which is one of the most used malware tools by cybercriminals to steal information such as passwords, credit card details, bank credentials, and cryptocurrency wallet data, Microsoft has announced.

What Is Lumma Stealer?

Lumma Stealer, also known as LummaC2, is a Russian-developed info stealer malware that has gained popularity among cybercriminals by promising quick results and ease of use. Because it has been distributed as malware-as-a-service, it was quickly adopted, and cybercriminals didn't need extensive technical knowledge to use and deploy it.

Lumma is widely distributed through phishing campaigns and underground forums. According to Microsoft, between March 16 and May 16, 2025, Lumma infected over 394,000 Windows-powered devices.

Coordinated Takedown

Microsoft's Digital Crimes Unit (DCU), in collaboration with Europol, the US Department of Justice, Japan's Cybercrime Control Center and other international law enforcement agencies, have deployed a complex operation to disrupt Lumma's infrastructure that targeted several fronts:

• Domain Seizure: Following legal action filed by Microsoft, the authorities were able to take down approximately 2,300 malicious domains considered crucial to Lumma's operations. Now, over 1,300 of these domains are to Microsoft-controlled sinkhole servers, thus severing the malware's communication with controlling servers.
• Command-and-Control disruption: Authorities have also dismantled Lumma's command-and-control systems, which means the malware can no longer receive instructions and exfiltrate the stolen data.
• Marketplace interruption: Also, some platforms that have been used to market and distribute Lumma were disrupted.
• Cloudflare contributed by blocking command-and-control server domains and banning accounts used to configure these domains.

Europol described Lumma as the world's most significant infostealer threat, highlighting the importance of this coordinated cybersecurity intervention.

"This operation is a clear example of how public-private partnerships are transforming the fight against cybercrime. By combining Europol's coordination capabilities with Microsoft's technical insights, a vast criminal infrastructure has been disrupted. Cybercriminals thrive on fragmentation – but together, we are stronger," said the head of Europol's European Cybercrime Centre, Edvardas Šileris.

More importantly, the US Department of Justice (DOJ) seized the Lumma control panel, which was critical to the Lumma marketplace.

The immediate result of the operation is that devices infected with the Lumma stealer will no longer be able to communicate with the command-and-control servers. Unfortunately, there's a very high probability that this malware will adapt and return to the malware-as-a-service market, but at least for now, Internet users are safe from this particular threat.