By Matt Soseman Originally posted4 Jan 2022In a major win for taking on cybercrime, Microsoft Digital Crimes Unit (DCU) has led a global operation to disrupt the infrastructure of Lumma Stealer, a notorious information-stealing malware.
This global operation, designed to bring down critical infrastructure used by cyber criminals to conduct malware attacks, involved the cooperation of international law enforcement agencies such as the U.S. Dept of Justice (DOJ), Europol and Japan’s National Police Agency (NPA) and its corresponding Law Enforcement Task force (JC3).
A highly popular password and information-stealing malware has returned in a new phishing campaign that has been spreading over the past few days and has managed to infect tens of thousands of machines. During the 2 month period of March 16 to May 16, 2025, Microsoft found more than 394,000 infected machines worldwide.
The malware has also been linked to more aggressive cyberattacks such as ransomware drops and intrusions into critical infrastructure areas such as finance, healthcare, and education.
The joint action led to a court order allowing Microsoft to disable and seize control of more than 2,300 internet domains that were part of the key infrastructure used by Lumma.
At the same time, the DOJ commandeered Lumma’s center of operations and shut down the marketplaces where the malware was being marketed and provided to others looking to inflict harm. Europol and JC3 worked together to disrupt Lumma infrastructure locally within the two jurisdictions.
Over 1,300 of the seized domains have been redirected by Microsoft to its sinkholes, enabling the company to track the continuing malware activity and identify case-critical intelligence to better protect our customers, and assist partners and law enforcement in efforts to combat threats.
The FBI has seized control of at least one of Lumma’s Telegram channels, issuing a message confirming the server seizure and claiming that user data is now under the control of U.S. law enforcement.
Experts note that while this takedown is a significant disruption to the Lumma Stealer network, cybercriminals are generally pretty resilient. Companies and individuals are advised to remain vigilant by deploying multi-factor authentication, keeping security solutions updated, and be wary of attachments and unknown links.
This global operation provides clear evidence that it is possible to take down cyber criminals, no matter where they are operating from, and is a good illustration of what can be secured when the public and private sectors join forces.
