Microsoft’s Digital Crimes Unit (DCU), working in concert with law enforcement and cybersecurity partners worldwide, has dismantled the infrastructure behind Lumma Stealer, one of the most prolific tools used by cybercriminals to steal sensitive personal and organizational data.
The coordinated takedown, which culminated on 13 May, involved legal action filed in the U.S. District Court for the Northern District of Georgia. Microsoft obtained a court order to seize, suspend, and block nearly 2,300 malicious domains powering the Lumma Stealer malware, a tool responsible for hundreds of thousands of infections across the globe.
Simultaneously, the U.S. Department of Justice seized Lumma’s central command infrastructure and disrupted illicit marketplaces where the malware was sold.
Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) also played key roles in suspending Lumma infrastructure hosted within their jurisdictions.
A Global Threat Dismantled
Lumma Stealer, categorized as Malware-as-a-Service (MaaS), has been active since at least 2022. It is used by cyber threat actors to steal login credentials, financial information, cryptocurrency wallets, and other sensitive data, enabling a range of criminal activity from bank fraud to ransomware attacks targeting schools and critical infrastructure.
Between 16 March and 16 May 2025, Microsoft detected more than 394,000 Windows systems infected with Lumma. The company worked alongside partners to cut off communication between compromised devices and Lumma’s servers. Over 1,300 domains were redirected to Microsoft-operated “sinkholes,” which will now collect intelligence to bolster defenses for Microsoft users and assist law enforcement with ongoing investigations.
This is a major step forward in disrupting the global cybercrime economy. By cutting off access to one of the most widely used info-stealers, Microsoft is making it harder and more expensive for attackers to continue their campaigns.
High-Profile Campaigns and Critical Targets
Lumma has been linked to several high-profile cybercrime campaigns. One incident occurred in March 2025, when Microsoft Threat Intelligence identified a phishing campaign impersonating Booking.com. The attack used Lumma, among other malware, to steal credentials and commit financial fraud. Targets have included gaming communities, educational institutions, and critical sectors such as finance, telecommunications, logistics, manufacturing, and healthcare.
Lumma is typically distributed through spear-phishing emails, fake advertisements (malvertising), and counterfeit software downloads. The malware masquerades as trusted brands like Microsoft to bypass security systems and lure victims into clicking malicious links or attachments.
A Professional Criminal Enterprise
Behind Lumma is an actor who goes by the alias “Shamel,” believed to be operating out of Russia. Shamel has marketed different subscription tiers for Lumma via Telegram and other underground forums, with packages ranging from $250 to $20,000. Higher-tier subscriptions offered advanced features, including the ability to analyze stolen data and evade detection, and even included full access to the malware’s source code.
In a 2023 interview with a cybersecurity researcher, Shamel claimed to have “about 400 active clients.” Lumma’s branding (a bird symbol with a slogan promising easy profits) mimicked the image of a legitimate tech business, reflecting how modern cybercriminals use commercial strategies to attract and retain customers.
The fact that a criminal enterprise like this can operate openly highlights the dire need for international cooperation and enforcement.
A Model for Disruption
Microsoft’s takedown of Lumma demonstrates the effectiveness of public-private partnerships in cybersecurity. The operation was supported by cybersecurity companies including ESET, BitSight, Cloudflare, Lumen, CleanDNS, and GMO Registry, each of which contributed to rapidly taking down infrastructure linked to Lumma.
The DCU emphasized that disrupting access to a tool like Lumma deals a heavy blow to hundreds of malicious actors at once. Rebuilding the infrastructure and reestablishing operations takes time, money, and effort, and buys defenders time to strengthen protections.
Microsoft has deployed a seizure notice across more than 900 domains that were used by Lumma, alerting visitors that the domains have been taken down as part of a joint action to combat cybercrime.
Ongoing Vigilance
Despite this success, Microsoft cautions that cybercriminals are persistent and continually adapt.
To help mitigate future risks, Microsoft advises organizations and individuals to implement multi-factor authentication (MFA), regularly update anti-malware solutions, and exercise caution when handling email attachments or clicking unknown links.
Security professionals can access more detailed guidance and technical information about Lumma and similar threats through Microsoft’s official threat intelligence channels.
Highly Adaptive Tactics
Rhys Downing, Threat Researcher at Ontinue, says the coordinated disruption of Lumma Stealer is a major step in combating malware-as-a-service (MaaS) and highlights the power of collaboration between law enforcement and industry.
“That said, Lumma’s tactics and infrastructure are highly adaptive. These takedowns are impactful, but threat actors often respond quickly with rebrands, new delivery methods, and rebuilt infrastructure. With the pricing of Lumma as a MaaS offering, they likely have the funds to bounce back.”
Downing says it’s essential that organizations implement and maintain strong detections to keep pace with the ongoing evolution of malware threats.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.