Microsoft Dismantles Lumma Stealer Network, Seizes 2,000+ Domains

Microsoft, in a global takedown with support from international law enforcement agencies, has disrupted a major malware distribution network responsible for widespread credential theft, financial fraud, and ransomware attacks. The operation targeted Lumma Stealer, an infostealer malware used by hundreds of threat actors to steal sensitive information from nearly 400,000 infected Windows devices.

This coordinated effort involved Microsoft’s Digital Crimes Unit (DCU), the US Department of Justice, Europol, and cybersecurity partners across the private sector. Together, they seized more than 2,300 domains and dismantled Lumma’s infrastructure, severing the connection between attackers and their victims.

****A Malware-as-a-Service Operation with Global Reach****

Lumma Stealer has been marketed through underground forums since at least 2022 as a plug-and-play solution for cybercriminals looking to steal everything from passwords and credit card numbers to crypto wallets and banking credentials. Its ease of use and adaptability helped it gain traction among threat actors, including high-profile ransomware groups like Octo Tempest.

The tool is often spread through phishing campaigns, malvertising, and malware loaders. In one campaign earlier this year, attackers impersonated Booking.com to lure victims into downloading malware-laced files, a tactic that continues to fool even experienced users.

Microsoft’s Threat Intelligence team has tracked Lumma’s activities closely, identifying widespread infection patterns from March through May 2025. Heat maps shared by the company illustrate the global footprint of this malware, with heavy concentrations of infected devices in North America, Europe, and parts of Asia.

****Legal Action and Infrastructure Seizure****

According to Microsoft’s blog post, on May 13, Microsoft filed legal action in the US District Court for the Northern District of Georgia, securing a court order to block and seize the malicious domains linked to Lumma’s command structure. Simultaneously, the DOJ took control of the central infrastructure, and law enforcement agencies in Europe and Japan shut down local servers supporting the operation.

More than 1,300 domains have already been redirected to Microsoft-controlled servers, known as sinkholes, which now gather intelligence to help protect users and support ongoing investigations. This move cuts off the malware’s ability to transmit stolen data or receive instructions from attackers.

****The Business Behind the Malware****

Lumma wasn’t just malware, it was a business. Sold under a tiered subscription model, it offered services ranging from basic credential theft tools for $250 to full source code access for $20,000. Its creator, known online as “Shamel,” ran the operation like a startup, promoting Lumma with a distinctive bird logo and slogans that downplayed its malicious intent.

In a 2023 interview with a security researcher, Shamel claimed to have 400 active customers. His public presence, despite his involvement in widespread fraud, reflects a broader issue: cybercriminals operating with impunity in jurisdictions that don’t prioritize enforcement or international cooperation.

****Industry Response and Moving Forward****

The effort to dismantle Lumma drew support from a wide range of companies, including ESET, Cloudflare, Lumen, CleanDNS, BitSight, and GMO Registry. Each played a role in identifying infrastructure, sharing threat intelligence, or executing takedowns quickly and efficiently.

Notice on the sites seized by authorities (Via Microsoft)

“This shows how powerful the combination of law enforcement and industry can be,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Massachusetts-based cybersecurity firm. “Dismantling this operation will protect hundreds of thousands of people. But just as important is the follow-up, making sure victims are alerted and supported.”

Richards added that the growth of the Malware-as-a-Service market in recent years requires consistent collaboration across sectors to limit the damage from such tools.

****What You Can Do****

While this operation disrupted one of the most widespread info-stealers online, Lumma is just one of many threats targeting users every day. Microsoft and security professionals advise the public to:

• Be cautious with email links and attachments
• Use reputable antivirus and anti-malware tools
• Keep operating systems and software updated
• Enable multi-factor authentication wherever possible

Lumma Stealer was a favourite among cybercriminals because it worked, and it worked at scale. By shutting down its infrastructure, Microsoft and its partners have disrupted the ability of malicious actors to operate efficiently. But as long as cybercrime remains profitable, the fight continues.