Disruption of Lumma Infostealer Malware Operation and Seizure of 2,300 Domains

Document Summary

Earlier this month, a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer operation seized thousands of domains and part of its infrastructure backbone worldwide. This effort involved multiple tech companies and law enforcement authorities, resulting in Microsoft's seizure of approximately 2,300 domains after legal action against the malware on May 13, 2025. At the same time, the Department of Justice (DOJ) disrupted marketplaces where the malware was rented to cybercriminals by seizing Lumma's control panel, while Europol's European Cybercrime Center (EC3) and Japan's Cybercrime Control Center (JC3) helped to seize Lumma's infrastructure based in Europe and Japan. Lumma (also known as LummaC2) is a malware-as-a-service information stealer targeting Windows and macOS systems that cybercriminals can rent for a subscription between $250 and $1,000. The malware comes with advanced evasion and data theft capabilities, and it's commonly distributed through various channels, including GitHub comments, deepfake nude generator sites, and malvertising to infect victims. After compromising a system, Lumma can steal data from web browsers and applications, including cryptocurrency wallets and cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers. This stolen data is then collected into an archive and sent back to attacker-controlled servers, who will sell the information on cybercrime marketplaces or use it in other attacks.