Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The Lumma infostealer operation has been taken down in a collaborative effort between global law enforcement agencies and industry titans.
Lumma malware is an information stealer that is sold on dark web and underground forums to cybercriminals providing them the tools to access devices and harvest all the information and data they can get their hands on, affecting hundreds of victims daily.
US Department of Justice (DoJ), Europol, and Japanese cyber law enforcement agencies, alongside Microsoft, Cloudflare, ESET and more, participated in the takedown and seizure of the Lumma malware-as-a-service (MaaS) and infostealer.
The takedown operation began when Microsoft discovered 394,000 Windows devices infected with the Lumma infostealer malware around the globe.
"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware,” wrote Assistant General Counsel for Microsoft’s Digital Crimes Unit, Steven Masada.
“Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims.”
On May 13, 2025, Microsoft took legal action against Lumma, leading to the seizure of 2,300 domains.
“Via a court order granted in the United States District Court of the Northern District of Georgia, Microsoft’s DCU seized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure,” added Masada.
Simultaneously, the US DoJ seized Lumma’s control panel, disrupting its ability to offer its malware to cybercriminals on dark web marketplaces, while Japan’s Cybercrime Control Centre (JC3) and Europol’s European Cybercrime Centre (EC3) seized local infrastructure in Japan and Europe.
Blake Darché, Head of Cloudforce One at Cloudflare, one of the companies that assisted in the takedown, said that the operation will disrupt and delay Lumma’s operations, but that they will rebuild.
“This disruption worked to fully setback their operations by days, taking down a significant number of domain names, and ultimately blocking their ability to make money by committing cybercrime,” he said.
“While this effort threw a sizable wrench into the largest global infostealers infrastructure, like any threat actor, those behind Lumma will shift tactics and reemerge to bring their campaign back online.”
However, as highlighted by the Head of Europol’s European Cybercrime Centre, Edvardas Šileris, the operation marks the importance of cooperating with industry and a shift in how these cybercriminal takedowns take place.
“This operation is a clear example of how public-private partnerships are transforming the fight against cybercrime.
“By combining Europol’s coordination capabilities with Microsoft’s technical insights, a vast criminal infrastructure has been disrupted. Cybercriminals thrive on fragmentation – but together, we are stronger.”
Be the first to hear the latest developments in the cyber industry.
