Threat actors behind the Lumma Stealer malware have been dealt a serious blow following a joint operation between Microsoft and Europol.
In an announcement, Europol’s European Cybercrime Centre and Microsoft said they have cut off communications between the malicious tool and its victims and have seized more than 1,300 domains.
The seized domains have been transferred to Microsoft, Europol confirmed, while will in turn redirect them to ‘sinkholes’ where they can be used for research purposes.
"This operation is a clear example of how public-private partnerships are transforming the fight against cyber crime," said Edvardas Šileris, head of Europol’s European Cybercrime Centre.
"By combining Europol’s coordination capabilities with Microsoft’s technical insights, a vast criminal infrastructure has been disrupted. Cybercriminals thrive on fragmentation – but together, we are stronger."
Lumma is a Malware as a Service (MaaS) offering for cyber criminals which has been marketed and sold through underground forums since at least 2022. Several new enhanced versions have been distributed since its first release, posing a serious risk to enterprises globally.
The malware service comes with different tiers, marketed via Telegram and other Russian-language chat forums. Users can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal.
"Lumma is easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses, making it a go-to tool for cyber criminals and online threat actors, including prolific ransomware actors such as Octo Tempest (Scattered Spider)," said Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit.
"The malware impersonates trusted brands, including Microsoft, and is deployed via spear-phishing emails and malvertising, among other vectors."
Lumma Stealer infections are rampant
According to Europol, between 16 March and 16 May 2025, more than 394,000 Windows computers globally were infected with the Lumma malware. Passwords, credit cards, bank account details, and cryptocurrency wallets were harvested and sold through a dedicated marketplace.
The main developer of Lumma is based in Russia and goes by the alias 'Shamel'; in November 2023 he told a cybersecurity researcher that he had around 400 active clients.
This operation is just the latest in a series of law enforcement crackdowns on infostealers. Last October, for example, international authorities took down the RedLine and META infostealers, seizing domains, servers, and Telegram accounts used by their administrators.
While the takedown has been hailed as a welcomed move, Lindsey Welch, technical writer at Huntress, warned threat actors often rebound after such activities.
"While these sorts of law enforcement operations can force threat actors to retool, they are merely disruptions rather than permanently effective measures,” Welch said.
“In fact, researchers have historically seen the resurgence of malware families, like Emotet and Bumblebee, after targeted disruptions."
Earlier this year, researchers from KELA said they'd spotted more than 4.3 million machines around the world that had been infected with infostealer malware, including Lumma Stealer.
More than 330 million credentials were compromised, the study noted.
"The coordination of Microsoft and law enforcement shows how powerful the two are when combined to stop bad actors from operating. Dismantling this cyber criminal enterprise will save hundreds of thousands of people from being victims," said Thomas Richards, infrastructure security practice director at Black Duck.
"Hopefully, there is a similar coordinated effort to alert those who have been victims so they can secure their credit and monitor for any additional financial fraud."
MORE FROM ITPRO
-
Google is getting serious on cloud sovereigntyNews Google has joined Microsoft in bolstering its sovereign cloud services as tensions grow over US influence on big tech providers.
-
Microsoft ramps up zero trust capabilities amid agentic AI pushNews The move from Microsoft looks to bolster agent security and prevent misuse
