Microsoft, in partnership with the U.S. Department of Justice (DOJ), took a major step in dismantling one of the most prolific cybercrime tools currently in circulation. Microsoft’s Digital Crimes Unit (DCU) collaborated with the DOJ, Europol, and several global cybersecurity firms to disrupt the Lumma Stealer malware network — a malware-as-a-service (MaaS) platform implicated in hundreds of thousands of digital breaches worldwide.
According to Microsoft, Lumma Stealer infected over 394,000 Windows machines between March and mid-May 2025. The malware has been a favored tool amongst cybercriminals for stealing login credentials and sensitive financial information including cryptocurrency wallets. It’s been used for extortion campaigns against schools, hospitals, and infrastructure providers. According to the DOJ website, “the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.”
With a court order from the U.S. District Court for the Northern Districts of Georgia, Microsoft took down roughly 2,300 malicious domains associated with Lumma’s infrastructure. The DOJ simultaneously took down five critical LummaC2 domains, which acted as command-and-control centers for cybercriminals deploying the malware. These domains now redirect to a government seizure notice.
International assistance came from Europol’s European Cybercrime Centre (EC3) and Japan’s JC3, who coordinated efforts to block regional servers. Cybersecurity firms like Bitsight, Cloudflare, ESET, Lumen, CleanDNS, and GMO Registry assisted in identifying and dismantling web infrastructure.
Inside the Lumma operation
Lumma, also known as LummaC2, has been operating since 2022, possibly earlier, and makes its info-stealing malware available for sale through encrypted forums and Telegram channels. The malware is designed for ease of use and is often bundled with obfuscation tools to help it bypass antivirus software. Distribution techniques include spear-phishing emails, spoofed brand websites, and malicious online ads known as “malvertising.”
Cybersecurity researchers say Lumma is particularly dangerous because it allows criminals to rapidly scale attacks. Buyers can customize payloads, track stolen data, and even get customer support via a dedicated user panel. Microsoft Threat Intelligence previously linked Lumma to notorious Octo Tempest gang, also known as “Scattered Spider.”
In one phishing campaign earlier this year, hackers were able to spoof Booking.com and used Lumma to harvest financial credentials from unsuspecting victims.
Who’s behind it?
Authorities believe the developer of Lumma goes by the alias “Shamel” and operates out of Russia. In a 2023 interview, Shamel claimed to have 400 active clients and even bragged about branding Lumma with a dove logo and the slogan: “Making money with us is just as easy.”
Long-term disruption, not a knockout
Image used with permission by copyright holder
While the takedown is significant, experts warn that Lumma and tools like it are rarely eradicated for good. Still, Microsoft and the DOJ say these actions severely hinder and disrupt criminal operations by cutting off their infrastructure and revenue streams. Microsoft will use the seized domains as sinkholes to gather intelligence and further protect victims.
This situation highlights the need for international cooperation in cybercrime enforcement. DOJ officials emphasized the value of public-private partnerships, while the FBI noted that court-authorized disruptions remain a critical tool in the government’s cybersecurity playbook.
As Microsoft’s DCU continues its work, this Lumma crackdown sets a strong precedent for what can be accomplished when industry and government specialists collaborate to eliminate threats.
As more of these organizations are uncovered and disrupted, remember to protect yourself by changing your passwords frequently and avoid clicking links from unknown senders.
