In a significant development against cybercrime, Microsoft has teamed up with the U.S. Department of Justice (DOJ) to disrupt one of the most widely used cybercrime tools in existence. The initiative, led by Microsoft’s Digital Crimes Unit (DCU), included collaboration with the DOJ, Europol, and a range of international cybersecurity firms to target the Lumma Stealer malware network. This malware-as-a-service (MaaS) platform has been linked to a substantial number of digital breaches globally.
According to Microsoft, the Lumma Stealer malware compromised over 394,000 Windows computers between March and mid-May 2025. This malware has become a popular choice among cybercriminals for stealing login details and sensitive financial information, including cryptocurrency wallets. It has been employed in extortion schemes targeting educational institutions, hospitals, and critical service providers. The DOJ reported that “the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.”
With authorization from the U.S. District Court for the Northern District of Georgia, Microsoft dismantled approximately 2,300 malicious domains linked to Lumma’s operations. Concurrently, the DOJ shut down five key LummaC2 domains, which served as command-and-control hubs for cybercriminals utilizing the malware. These domains have since been redirected to a government seizure notice.
International support came from Europol’s European Cybercrime Centre (EC3) and Japan’s JC3, which helped coordinate efforts to block essential regional servers. Leading cybersecurity firms, including Bitsight, Cloudflare, ESET, Lumen, CleanDNS, and GMO Registry, aided in identifying and dismantling the malware’s web architecture.
Understanding the Lumma Operation
Lumma, also referred to as LummaC2, has been operational since 2022, if not earlier, offering its information-stealing malware for sale through encrypted forums and Telegram channels. Designed for user-friendliness, the malware is often packaged with obfuscation tools to evade antivirus detection. Distribution methods include spear-phishing emails, counterfeit brand websites, and malicious online advertisements known as “malvertising.”
Cybersecurity experts consider Lumma to be particularly dangerous due to its ability to facilitate rapid scaling of cyberattacks. Buyers of the malware can customize their payloads, monitor stolen data, and even access customer support through a dedicated user interface. Microsoft Threat Intelligence has previously connected Lumma to the infamous Octo Tempest gang, also known as “Scattered Spider.”
In a phishing attack earlier this year, attackers were able to impersonate Booking.com and employed Lumma to collect financial credentials from unsuspecting users.
Who Is Behind It?
Authorities believe the mastermind of Lumma goes by the alias “Shamel” and hails from Russia. In a 2023 interview, Shamel claimed to have 400 active clients and boasted about branding Lumma with a dove logo and the slogan: “Making money with us is just as easy.”
Long-Term Disruption, Not a Knockout
While this operation marks a significant blow to Lumma, experts caution that malware like this is rarely completely eradicated. Nevertheless, Microsoft and the DOJ emphasize that their actions drastically disrupt criminal activities by cutting off essential infrastructure and revenue streams. Microsoft plans to utilize the seized domains as sinkholes to gather intelligence and further protect potential victims.
This situation underscores the necessity of international cooperation in combating cybercrime. Officials from the DOJ highlighted the importance of public-private partnerships, while the FBI noted that court-authorized interventions remain a vital strategy in the government’s cybersecurity efforts.
As Microsoft’s DCU continues its initiatives, the Lumma crackdown sets a powerful example of what can be achieved through the collaboration of industry and government specialists in addressing these pressing threats. As more of these operations are uncovered and neutralized, it’s essential to ensure personal cybersecurity by changing passwords frequently and being cautious of links from unrecognized sources.
