Microsoft and the DOJ deliver a significant setback to the Lumma malware operation.

      Microsoft, in collaboration with the U.S. Department of Justice (DOJ), has made a significant move to dismantle one of the most prevalent cybercrime tools currently in use. The company’s Digital Crimes Unit (DCU) worked together with the DOJ, Europol, and various global cybersecurity firms to disrupt the Lumma Stealer malware network, a malware-as-a-service (MaaS) platform linked to hundreds of thousands of digital breaches across the globe.

      According to Microsoft, Lumma Stealer infected more than 394,000 Windows machines from March to mid-May 2025. This malware has been a popular choice among cybercriminals for stealing login credentials and sensitive financial data, including cryptocurrency wallets. It has been deployed in extortion campaigns targeting schools, hospitals, and infrastructure providers. The DOJ's website states, “the FBI has identified at least 1.7 million instances in which LummaC2 was utilized to steal this type of information.”

      With a court order from the U.S. District Court for the Northern District of Georgia, Microsoft took down approximately 2,300 malicious domains linked to Lumma’s infrastructure. Simultaneously, the DOJ deactivated five key LummaC2 domains that served as command-and-control centers for cybercriminals operating the malware. These domains now redirect users to a government seizure notice.

      International support was provided by Europol’s European Cybercrime Centre (EC3) and Japan’s JC3, which coordinated efforts to block regional servers. Cybersecurity companies such as Bitsight, Cloudflare, ESET, Lumen, CleanDNS, and GMO Registry assisted in identifying and dismantling the web infrastructure.

      Understanding the Lumma operation:

      Known as LummaC2, this operation has been active since 2022 or possibly earlier, selling its info-stealing malware via encrypted forums and Telegram channels. The malware is designed for user-friendliness and is often paired with obfuscation tools to evade antivirus detection. Distribution methods include spear-phishing emails, fake brand websites, and malicious online advertisements, termed “malvertising.”

      Cybersecurity experts indicate that Lumma is particularly threatening as it enables criminals to quickly scale their attacks. Purchasers can customize payloads, monitor stolen data, and obtain customer support through a dedicated user panel. Microsoft Threat Intelligence has previously associated Lumma with the infamous Octo Tempest gang, also referred to as “Scattered Spider.” In one phishing campaign earlier this year, attackers were able to imitate Booking.com and utilized Lumma to collect financial credentials from unsuspecting victims.

      Who is behind Lumma?

      Authorities suspect that the developer of Lumma operates under the alias “Shamel” from Russia. In a 2023 interview, Shamel claimed to have 400 active clients, boasting about branding Lumma with a dove logo and the slogan: “Making money with us is just as easy.”

      A focus on long-term disruption rather than full elimination:

      While this takedown is noteworthy, experts warn that Lumma and similar tools are rarely completely eradicated. Nevertheless, Microsoft and the DOJ assert that these actions significantly disrupt criminal operations by severing their infrastructure and revenue sources. Microsoft plans to utilize the seized domains as sinkholes to gather intelligence and enhance protections for victims.

      This situation underscores the imperative for international collaboration in combating cybercrime. DOJ officials highlighted the importance of public-private partnerships, while the FBI noted that court-sanctioned disruptions remain an essential strategy in the government’s cybersecurity efforts.

      As Microsoft's DCU continues its initiatives, this Lumma crackdown sets a strong example of what can be accomplished through collaboration between industry and government experts to mitigate threats. As more such organizations are exposed and dismantled, it is crucial to protect yourself by frequently changing your passwords and refraining from clicking on links from unknown sources.