Lumma Malware Makes 1.7 Million Information Theft Attempts, Microsoft Takes Down

2025-05-22
Lumma Malware Makes 1.7 Million Information Theft Attempts, Microsoft Takes Down

Lumma Malware has been in the spotlight since the US Department of Justice coordinated with Microsoft to seize domains used by LummaC2 in its information theft efforts.

LummaC2 didn't just target users in certain countries, as it turned out that their target was the global public.

For this reason, two seizure warrants were issued by the US Department of Justice on May 21.

About Lumma Malware Inside LummaC2

Lumma Malware that spreads across the internet is from LummaC2, also known as Lumma Stealer. It is malicious software designed to steal sensitive information from infected computers. 

It belongs to an expanding category of cyber threats called "infostealers", malicious software designed to collect information such as passwords, banking details, personal digital data, and also crypto wallets, instead of damaging files or locking systems for ransom.

LummaC2 is short for “Lumma Command and Control,” referring to the server system that remotely manages infected computers

lumma stealer

This malware is distributed on a Malware-as-a-Service (MaaS) model, meaning that cybercriminals can pay a fee to use LummaC2 through subscription-based pricing tiers. These tiers range from a few hundred to thousands of dollars, depending on the capabilities desired.

Launched around late 2022, LummaC2 quickly gained popularity in underground hacking forums due to:

  • It's powerful credential-stealing capabilities

  • A sleek, user-friendly dashboard for cybercriminals

  • Support for multiple exfiltration techniques (methods to send stolen data to the attacker)

Read Also: The UN Thinks Criminals are Using Stablecoin

Lumma Malware Cases

Between March 16 and May 16, 2025, LummaC2, also known as Lumma Stealer, infected more than 394,000 Windows computers worldwide, marking one of the most aggressive infostealer campaigns in recent cybercrime history. 

According to the FBI, this malware was involved in at least 1.7 million theft attempts globally, primarily targeting login credentials, financial information, and crypto wallet access.

The financial damage has been substantial: in 2023 alone, LummaC2 was responsible for an estimated $36.5 million in credit card fraud, as reported by Cybernews and Investopedia. 

Its impact has not been confined to one region, cases have surfaced across North America, Europe, Southeast Asia, and Latin America, where infected systems have been used to exfiltrate sensitive data from individuals, small businesses, and even government systems.

The malware’s operations were highly coordinated and bolstered by an underground subscription model, allowing cybercriminals, regardless of technical skill, to rent the malware and deploy it in phishing campaigns. 

Investigations by The Record, CyberScoop, and The Economic Times revealed that LummaC2 was often paired with deceptive web injects and malicious browser extensions to harvest more data while remaining undetected.

Despite a major international takedown led by Microsoft, the U.S. Department of Justice, and several cybersecurity firms, experts from WIRED, CyberScoop, and Investopedia warn that the risk from infostealers like LummaC2 remains dangerously high. 

Read Also: The Tense Moment of Crypto CEO's Daughter being Kidnapped in Paris (With Video)

Its modular structure, continuous updates, and ease of use have made it an essential tool for cybercriminal syndicates and even state-sponsored hacking groups.

With variants still in circulation and new actors developing forks of the original malware, LummaC2’s legacy continues to pose a significant threat to global cybersecurity in both public and private sectors.

Microsoft Leads Operation to Dismatle Lumma Malware

On May 21, 2025, an unprecedented, globally coordinated cybersecurity operation dealt a major blow to LummaC2, one of the most prolific infostealer malware networks in recent years. 

Led by Microsoft’s Digital Crimes Unit in collaboration with the U.S. Department of Justice, Europol, Japan’s Cybercrime Control Center, and major private-sector partners like Cloudflare and ESET, the operation marked a critical step in dismantling the infrastructure that fueled LummaC2’s widespread attacks.

lumma malware spread

According to SiliconANGLE, WIRED, and Decrypt, the takedown resulted in:

The seizure of over 2,300 malicious domains, which served as the digital foundation for LummaC2’s command, control, and distribution systems. These domains were used to manage infected machines, exfiltrate stolen data, and deliver malware updates to cybercriminal clients.

The full dismantling of LummaC2's command-and-control (C2) servers effectively cuts off communication between the malware and hundreds of thousands of compromised devices worldwide. This move rendered many active infections inoperable and disrupted the ability to launch new attacks.

The takedown of multiple darknet and clearnet marketplaces where LummaC2 was sold as a subscription-based Malware-as-a-Service (MaaS). These underground marketplaces had offered tiered pricing, ranging from $250 to $20,000, allowing even low-skilled attackers to deploy powerful information-stealing campaigns.

Read Also: Why Flexing Your Crypto Could Put You in Real Danger

As reported by Dark Reading, The Record, and The Official, the collaborative strike was not just about shutting down infrastructure, it also served to publicly expose the malware’s operations and raise global awareness about the growing threat of commercialized infostealers.

This operation is being hailed as a landmark achievement in cyber defense, highlighting the power of public-private partnerships in combating transnational cybercrime. 

However, security analysts caution that this victory is likely temporary. While the LummaC2 network was severely disrupted, its code, variants, and affiliated actors may resurface under new aliases or forks, continuing to pose a threat in the evolving cybercrime landscape.

Final Note

The global disruption of LummaC2 on May 21, 2025, represents a major victory in the fight against cybercrime. 

By seizing more than 2,300 domains, dismantling its command-and-control infrastructure, and disrupting black-market malware distribution channels, authorities struck at the very heart of one of the most dangerous infostealer operations to date.

However, this takedown is not the end of the story. With over 394,000 devices infected globally and more than $36.5 million in damages linked to LummaC2’s activity, the aftermath continues to unfold. 

Experts warn that infostealers remain one of the most active and dangerous malware categories, especially due to their commercial availability and ability to remain undetected for long periods.

Read Also: BLUM Co-Founder Vladimir Smerkis Arrested in Russia

As cybercriminals adapt and malware variants evolve, ongoing collaboration between governments, cybersecurity firms, and global law enforcement is essential. 

Vigilance, education, and robust security practices will remain critical in defending against the next generation of stealthy digital threats.

Through Bitrue

register bitrue

Through Bitrue, you can start your journey in the crypto world, making transactions to buy and sell crypto assets such as BTCXRPETHSOL, and so on safely, quickly, and securely. Create your Bitrue account now, and get various attractive crypto asset prizes for new users! Register by clicking the banner above.

FAQ

1. What is LummaC2 malware, and how does it work?

LummaC2, also known as Lumma Stealer, is an infostealer malware designed to collect sensitive data such as login credentials, credit card details, and cryptocurrency wallet information. It operates via a command-and-control (C2) infrastructure, allowing attackers to remotely exfiltrate data from infected devices.

2. How did authorities take down LummaC2?

On May 21, 2025, a global task force led by Microsoft, the U.S. Department of Justice, and cybersecurity partners dismantled LummaC2 by seizing over 2,300 domains, shutting down its C2 servers, and disrupting underground marketplaces where the malware was sold.

3. How many devices were affected by Lumma Stealer?

Between March 16 and May 16, 2025, LummaC2 infected over 394,000 Windows computers globally and was linked to more than 1.7 million theft attempts, making it one of the most widespread infostealer campaigns in recent years.

4. Is LummaC2 still a threat after the takedown?

Yes, while the infrastructure behind LummaC2 was significantly disrupted, cybersecurity experts warn that variants and forks may still emerge. Infostealers remain highly effective tools for cybercriminals due to their stealth and profitability.

5. How can I protect myself from LummaC2 and similar malware?

To protect against infostealers like LummaC2, avoid clicking on suspicious links, keep your software updated, use strong antivirus protection, enable multi-factor authentication, and regularly monitor financial and digital accounts.

Disclaimer: The content of this article does not constitute financial or investment advice.

Register now to claim a 1012 USDT newcomer's gift package

Join Bitrue for exclusive rewards

Register Now
register

Recommended

What is IUL (Indexed Universal Life) and How to Make an IUL Account
What is IUL (Indexed Universal Life) and How to Make an IUL Account

What is IUL (Indexed Universal Life)? In this article, we’ll break down what IUL is, how it works, the pros and cons, and walk you through how to make an IUL account.

2025-05-22Read
What is EuroUnion (EURC)? A Serious Meme Coin
What is EuroUnion (EURC)? A Serious Meme Coin

If you’ve been asking, what is EuroUnion (EURC), this article gives you a full overview, from its origins and purpose to its roadmap and token distribution. Find out more here!

2025-05-22Read
Understanding Trump's New Monopoly Game Plan
Understanding Trump's New Monopoly Game Plan

A Monopoly-style blockchain game tied to Donald Trump is in the works, raising curiosity in the crypto world. This article unpacks the details, players, and risks.

2025-05-22Read