Lumma Stealer dismantled: Microsoft strikes a major blow against international cybercrime

May 13, 2025, marks a decisive step in the fight against cybercrime. Microsoft, through its Digital Crimes Unit (DCU), led a major international operation to dismantle Lumma Stealer, an information-stealing malware massively used by cybercriminals around the world. In collaboration with judicial authorities, Europol, the U.S. Department of Justice (DOJ), and several private partners, the company neutralized the malware's core infrastructure, effectively putting a brake on its destructive activities.

Lumma Stealer: Malware Serving Organized Cybercrime

Lumma, also known as Lumma Stealer, is a Malware-as-a-Service (MaaS) that has been marketed on underground cybercrime forums since at least 2022. It allows its users to steal sensitive information: credentials, passwords, banking data, and cryptocurrency wallets, among others.

Its popularity stems from its simplicity of distribution, its ability to bypass certain protections, and the difficulty in detecting it. Its victims include schools locked down for ransom, disrupted critical services, private companies, and even healthcare institutions.

Coordinated Judicial and Technical Action

Thanks to a ruling by the U.S. District Court for the Northern District of Georgia, Microsoft obtained the right to seize and disable over 2,300 malicious domains used by Lumma. The DOJ, for its part, took down the malware's command servers, while Europol and its European Cybercrime Centre (EC3), along with the Japan Cybercrime Control Center (JC3), helped disable local infrastructures.

This action was complemented by the redirection of over 1,300 domains to "sinkholes" managed by Microsoft. This system not only interrupts communication between Lumma and infected devices but also allows for the collection of crucial information to prevent future attacks.

A Global Impact: Hundreds of Thousands of Infected Machines

Between March and May 2025, 394,000 Windows computers infected by Lumma were identified. Microsoft, along with its public and private partners, launched a global neutralization campaign. The data harvested through the "sinkholes" will be used to improve threat detection, notify victims, and strengthen the resilience of IT systems.

A Structured Market Behind Lumma

Lumma's creator, operating under the pseudonym "Shamel", is based in Russia. He sells his services via Telegram and other Russian-speaking platforms. Offering different subscription tiers, he allows clients to customize the malware, track stolen data via a dashboard, and integrate it with obfuscation tools. This structured commercial approach makes Lumma a true "product" complete with a logo, slogan ("making money is child's play"), and branding—illustrating the worrying professionalization of cybercrime.

Examples of Lumma Usage: Phishing, Ransomware, Strategic Targeting

Lumma has been used in numerous malicious campaigns, including:

A targeted phishing attack in March 2025, impersonating Booking.com.

Campaigns against online gamers, educational institutions, and healthcare services.

Actions carried out by ransomware groups like Octo Tempest (alias Scattered Spider).

Its distribution vectors include: spear-phishing, malvertising, and spoofing trusted brands like Microsoft.

Collective Action to Weaken the Cybercriminal Ecosystem

This takedown illustrates the importance of public-private partnerships. Microsoft acknowledges the cooperation of numerous companies, including ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry, which played a key role in the rapid deactivation of the Lumma infrastructure.

The impact is clear: depriving cybercriminals of a key tool slows down their ability to act, increases their operational costs, and weakens their business model.

Conclusion: A Strong Signal, But Constant Vigilance Required

The fight against malware like Lumma cannot rely on a single action. Microsoft, through its Digital Crimes Unit, affirms its commitment to continuing efforts to disrupt key cybercrime tools, protect critical infrastructure, and ensure a safer internet for all.

This operation shows that with coordinated actions, adapted tools, and strong political will, it is possible to deal significant blows to the cybercriminal ecosystem.