A coalition of tech partners and law enforcement, led by Microsoft’s Digital Crimes Unit (DCU), has taken down the dangerous Lumma Stealer malware-as-a-service operation. This malware has been crucial for many cybercriminal groups, including ransomware gangs.
Earlier this May, with a court order from the Northern District of Georgia, the DCU seized about 2,300 malicious domains linked to Lumma. Steven Masada, assistant general counsel at the DCU, stated, “Lumma steals passwords, credit cards, bank accounts, and cryptocurrency wallets. It has enabled criminals to ransom schools, drain bank accounts, and disrupt critical services.”
The US Department of Justice targeted the central command structure of the operation while Europol’s European Crime Centre and Japan’s Cybercrime Control Centre focused on local infrastructures. Edvardas Šileris from Europol described this operation as a strong example of how public-private partnerships enhance the battle against cybercrime. “Cybercriminals thrive on fragmentation,” he noted, “but together, we are stronger.”
In a blog post, Masada shared that Microsoft identified over 394,000 infected Windows computers over two months. These systems are now free from Lumma’s grasp, cutting off communication with the malware.
As part of the joint effort, around 1,300 seized domains, including 300 acted upon by Europol, now redirect to Microsoft’s sinkholes. This allows the DCU to gather critical intelligence and improve security for users.
Lumma first appeared about three years ago and has undergone continuous development. Based in Russia and run by a developer known as “Shamel,” it offers four service tiers, ranging from $250 to $20,000, granting buyers access to its source code and the right to resell it. Shamel claimed to have around 400 active users in 2023.
When deployed, Lumma aims to monetize stolen data and continues to be a go-to tool for many notorious cybercriminals. It lures victims by spoofing trusted brands and spreads via phishing and malvertising. Blake Darché, head of Cloudforce One at Cloudflare, emphasized Lumma’s reach, saying it gathers every bit of information from infected computers.
“This disruption set back their operations significantly,” Darché added. But he warned that, like all cybercriminals, those behind Lumma are likely to adapt and return.