On 21 May, a major international law enforcement coalition, including Europol, the FBI, and Microsoft, announced a coordinated operation targeting the notorious Lumma infostealer, a malware-as-a-service platform responsible for widespread credential theft.
The operation, which began on 15 May, confiscated a whopping 2,500 domains associated with Lumma and wiped its main server and backups through a vulnerability in Integrated Dell Remote Access Controller (iDRAC).
Lumma, one of the most prolific infostealers, has been leveraged by both common cybercrooks and elite threat groups such as Scattered Spider, Angry Likho, and CoralRaider.
The takedown’s immediate impact was evident as Lumma customers flooded dark web forums, reporting loss of access to the malware’s command and control infrastructure and management dashboards1.
Despite these hurdles, Lumma’s developer quickly responded, and claimed that core infrastructure, (particularly servers registered in Russia) remained up and running. The developer assured users via Telegram that operations had resumed, with no arrests reported and systems allegedly restored.
According to Check Point Research, one sign that the Lumma infostealer is down but not out is that information purloined from compromised machines is still appearing on the online market. “For example, two days after the operation, an automated Telegram bot that sells stolen credentials obtained by Lumma offered 95 logs from 41 countries for sale. As of May 29, the same bot contains 406 logs, showing a steady increase.”
However, police activity exceeded technical disruption: authorities constructed phishing login pages to obtain Lumma’s customers’ credentials and digital footprint, even planted JavaScript code snippets into hijacked dashboards with the aim of gaining access to the users’ webcams in an attempt to seed distrust and psychological pressure among the criminal community.
While some cybercrime forum users predict Lumma may be forced to go private or shut down, others believe the takedown will have little long-term effect. Evidence suggests Lumma remains operational, as stolen credentials continue to surface on underground markets and automated Telegram bots, with logs from compromised computers appearing for sale just days after the operation.
The real test for Lumma lies in its reputation. Although technical infrastructure can be rebuilt, restoring trust among affiliates and customers (damaged by law enforcement’s psychological tactics) may prove more tricky.
“This isn’t just a technical takedown, it’s a reputational war,” said Sergey Shykevich, Threat Intelligence Group Manager at Check Point. “Lumma’s developers are trying to act like it’s business as usual, but trust in the malware-as-a-service underworld is fragile. The next few weeks will be critical.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.