Global Operation Takes Down Lumma Stealer Infrastructure in Major Blow to Infostealer Ecosystem

A coordinated international law enforcement and private sector effort has successfully dismantled the infrastructure of Lumma Stealer (also known as LummaC/LummaC2)—a widespread information-stealing malware responsible for infecting millions of Windows systems globally.

  North America Cyber affairs News   May 22, 2025  Add to Reading List
Global Operation Takes Down Lumma Stealer Infrastructure in Major Blow to Infostealer Ecosystem

A coordinated international law enforcement and private sector effort has successfully dismantled the infrastructure of Lumma Stealer (also known as LummaC/LummaC2)—a widespread information-stealing malware responsible for infecting millions of Windows systems globally.

The U.S. Department of Justice (DoJ) confirmed the seizure of 2,300 domains that formed Lumma’s command-and-control (C2) backbone, used to exfiltrate sensitive data including credentials, browser autofill data, and crypto wallet seeds. The FBI estimates Lumma has infected over 10 million devices, with 394,000 infections detected between March and May 2025 alone.

Originally launched in late 2022, Lumma Stealer operates under a malware-as-a-service (MaaS) model, offering subscription plans ranging from $250 to $1,000, with a premium $20,000 package including source code access and resale rights. The tool is aggressively marketed on Telegram and Russian cybercrime forums by a developer known as “Shamel.”

Key Technical Details:

  • Delivery: Uses phishing, malvertising, cracked software bundles, and ClickFix techniques.

  • Hosting: Hosted malicious reCAPTCHA pages via Oracle, Tigris, and Scaleway Object Storage.

  • Infrastructure: Includes nine rotating tier-1 C2 domains, with fallbacks on Steam and Telegram, often protected by Cloudflare proxies.

  • Distribution: Delivered via pay-per-install (PPI) networks and spoofed software downloads.

  • Security Evasion: Employs advanced obfuscation like LLVM, control flow flattening, stack decryption, and dead code to evade analysis.

Marketplace Presence:

  • Over 21,000 listings for Lumma logs appeared on dark web markets between April and June 2024, a 72% increase year-over-year.

  • Lumma's operators even created their own affiliate marketplace with a ratings system to facilitate stolen data sales.

Impact and Takeaways:

The infrastructure takedown involved Microsoft’s Digital Crimes Unit, alongside ESET, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, severing links between victims and Lumma’s C2 servers. Europol described Lumma as the most significant infostealer threat to date.

Despite the disruption, Microsoft cautions that Lumma’s operators may rebuild, given their history of rotating domains and abusing legitimate cloud services. The campaign’s resilience and scalability reflect a broader trend in cybercrime sophistication and reinforce the importance of industry collaboration and proactive defenses.

The Lumma developer previously hinted in an interview that operations would cease by Fall 2025, but the future of the operation remains uncertain.