Lumma Stealer, a malware widely used by cybercriminals, has just been dismantled. Following an operation led by the US justice system, Europol, and the Japanese Cybercrime Control Center, the malware's infrastructure was bypassed. Several actors are involved in the operation, starting with Microsoft. Companies like ESET and Cloudflare also participated in the dismantling of the formidable virus.
Russian malware specialized in data theft
Active since 2022, Lumma Stealer was designed by a Russian developer, who goes by the name Shamel. The virus is a MaaS (Malware-as-a-Service), a malicious tool sold in the form of a subscription to other cybercriminals. Subscriptions were sold between $250 and $20,000 per month, for ultra-comprehensive offers, including a control and configuration panel for the virus. Shamel claimed to have more than 400 customers. The subscription is offered through Telegram, the preferred messaging service for cybercriminals.
Lumma Stealer specializes in stealing sensitive information, including passwords, logins, cookies, credit card information, cryptocurrency wallet private keys, and entire browsing history. Once collected, the data is placed in an archive that is quickly sent to servers under the hackers' control. According to Microsoft, the malware was "the preferred malware used to steal data by hundreds of cybersecurity threat actors." Compatible with both Windows and macOS, the virus has been implicated in numerous cyberattacks against a wide variety of targets, including schools, bank accounts, and individuals, and was most often spread in fraudulent emails. In the past, the virus has been found in emails impersonating Booking, the hotel booking platform.
The malware has been used by cybercriminals from the FIN7 gang to trick users into using fake deepfake generators. This year, Lumma was also involved in a coordinated attack by two gangs against Windows computers. A few months earlier, the virus was behind a wave of data theft on Windows. Hidden in malicious advertisements, the virus managed to steal the data of many Internet users, especially video game enthusiasts.
Nearly 400,000 PCs infected with Lumma
Between March 16 and May 16, 2025, Microsoft counted more than 394,000 Windows computers affected by Lumma worldwide. Most of the PCs were located in the United States, Mexico, Brazil, Western Europe, and Japan. Once installed on a computer, Lumma can steal sensitive data from web browsers. Lumma primarily targets browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and others based on the Chromium rendering engine.
The takedown of Lumma Stealer began with a lawsuit filed by Microsoft in the United States on May 13, 2025. The U.S. federal justice system quickly decided to conduct a major operation to stop the virus's activities. In "collaboration with law enforcement and industry partners", Microsoft managed to "cut off communications between the malicious tool and the victims", explains Steven Masada, assistant general counsel for Microsoft's digital crimes unit.
Infrastructure dismantled... but soon to return?
The Redmond company managed to block, suspend, or remove approximately 1,300 websites that made up Lumma's main infrastructure. At the same time, the US justice system took control of the Lumma ecosystem's command center, disrupting the platform's use for reselling data stolen by the virus. As Cloudflare explains, "the operation to dismantle Lumma Stealer deprives its operators of access to their command interface, the stolen data marketplace, and the online infrastructure used to collect and manage this information." It was a "hub for the purchase and sale of malware," Europol emphasizes. ESET believes that it contributed "directly to the proliferation of identity theft, banking fraud, and extortion."
The hackers are forced to "rebuild their services on an alternative infrastructure."Microsoft states that "this coordinated action aims to slow the pace of attacks, reduce their effectiveness, and limit the illegal gains of cybercriminals by cutting off one of their main sources of income." The entities involved in the operation suggest that it is not impossible that the hackers will eventually rebuild an infrastructure around Lumma Stealer. As Microsoft emphasizes, "cybercriminals are persistent and creative." The virus could therefore make a comeback in the future.
Source: Europol
0 Comments