A worldwide crackdown led by Microsoft and law enforcement has disrupted one of the most prolific data-stealing malware services online.
On May 13, 2025, Microsoft and a coalition of global tech companies and law enforcement agencies launched a coordinated disruption against the Lumma malware-as-a-service (MaaS) operation. The effort resulted in the seizure of roughly 2,300 domains and key parts of Lumma’s backend infrastructure. The U.S. Department of Justice also dismantled Lumma’s control panel and disrupted marketplaces where the malware was offered for rent.
The crackdown tried to cut off communications between infected systems and Lumma’s operators. Between March and May 2025 alone, Microsoft had identified over 394,000 Windows devices infected by Lumma.
Lumma, also known as LummaC2, is sold on cybercrime forums for $250 to $1,000 and is known for its sophisticated evasion and data theft techniques. The malware targets both Windows and macOS systems, collecting sensitive data including passwords, cryptocurrency wallets, cookies, credit card numbers, and browser history. The data is then compiled and sent to attacker-controlled servers, where it is either sold or used in further attacks.
Lumma has been spread through deceptive means like GitHub comments, fake AI-generated nude websites, and malvertising. Its widespread use has been linked to major breaches involving PowerSchool, CircleCI, Snowflake, and HotTopic. The malware has also been deployed by known threat groups like Scattered Spider and used in network manipulation attacks, such as the hijacking of Orange Spain’s RIPE account.
Despite prior domain suspensions, Lumma operators continued to bypass defenses, prompting Cloudflare to introduce enhanced countermeasures, including its Turnstile service, to block further abuse.
Microsoft’s Digital Crimes Unit confirmed it worked with law enforcement and industry partners to sever communications between Lumma and compromised machines. Cloudflare stated that Lumma will now face added costs from having to rebuild its operations from scratch.
Tech firms like ESET, CleanDNS, Lumen, Bitsight, GMO Registry, and the law firm Orrick also took part in the action. Europol and Japan’s Cybercrime Control Center assisted in seizing infrastructure in their respective regions.
The takedown of Lumma represents progress in efforts to disrupt infostealer malware operations, which have continued to grow in reach and complexity. Tools like Lumma are linked to an increasing number of breaches and stolen credentials, prompting more coordination between technology companies and global law enforcement. However, these disruptions are rarely final. Malware-as-a-service groups often reorganize and reemerge using different infrastructure, keeping the threat environment in constant motion.
MaaS tools are sold to many different cybercriminals, making takedowns complex. Even if infrastructure is seized, individual buyers may continue using copies of the malware or migrate to similar services.
The FBI and CISA have released a joint advisory with indicators of compromise and detection techniques. Users and organizations should consult these resources and run endpoint detection scans.
Unlike viruses that disrupt systems, Lumma is designed to remain stealthy while stealing credentials, making it harder to detect and ideal for launching future breaches and fraud.
Attackers abuse CDN and security services to obscure the true locations of their servers, making it harder for defenders to track or block data exfiltration paths.
Best practices include enforcing multi-factor authentication, monitoring for unusual login behavior, keeping software updated, and implementing endpoint detection and response (EDR) tools that scan for credential theft patterns.