Authorities Carry Out Elaborate Global Takedown of Infostealer Heavily Used by Cybercriminals

A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma, one of the most popular infostealers worldwide. Developed in Russia, Lumma has been used by hundreds of cyber threat actors to steal passwords, credit card and banking information, and cryptocurrency wallet details.

Lumma has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things. Microsoft’s Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma’s infrastructure.

At the same time, the US Department of Justice seized Lumma’s command-and-control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated with disruption of regional Lumma infrastructure by Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center.

Why Was Lumma So Popular Among Cybercriminals?

Microsoft lawyers say that Lumma, also known as LummaC2, has spread so broadly because it is “easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses.”

"In 2025, probably following Redline’s disruption and Lumma’s own development, it has ranked as the most active module, indicating its growing popularity and widespread adoption among cybercriminals," says Victoria Kivilevich, director of threat research at security firm Kela.

How Did Cybercriminals Distribute Lumma?

Attackers distribute the malware using targeted phishing attacks that typically impersonate established companies and individuals. They also use other tactics such as exploiting vulnerabilities in software and hardware to spread the malware.

"This brings us good income," an administrator of Lumma told 404Media and WIRED last year, referring to the resale of stolen login data. "Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums."

What Can We Learn From This Takedown?

The takedown of Lumma highlights the growing importance of infostealers in cybercrime. Despite international efforts to crack down on these types of malware, they continue to be popular among cybercriminals due to their ease of use and effectiveness.

What's Next for Infostealers?

"Even if the landscape ultimately shifts due to the evolution of defenses, the growing prominence of infostealers over the past few years suggests they are likely here to stay for the foreseeable future," says Ian Gray, director of analysis and research at the security firm Flashpoint.

As one administrator of Lumma noted, even if law enforcement targets a particular infostealer, it does not mean that other similar malware will be abandoned. The use of infostealers has exploded in recent years, and they are likely to remain a threat for the foreseeable future.

The Consequences of Using Infostealers

Using infostealers can have serious consequences, including financial loss, identity theft, and reputational damage. As Gray notes, "Even advanced threat actor groups are leveraging infostealer logs, or they risk burning sophisticated tactics, techniques, and procedures."

A Call to Action

"We're now seeing infostealers not just evolve technically, but also play a more central role operationally," says DoubleYou’s Wardle. "Even nation-state actors are developing and deploying them."

As the threat landscape continues to evolve, it is essential that individuals and organizations take steps to protect themselves from infostealers and other types of cyber threats.