In a historic enforcement operation against cybercrime, international law enforcement pulled together. They took down the Lumma Stealer malware network, responsible for more than 10 million infections globally. LummaC, also known as LummaC2, this commodity information stealer has been in operation since late 2022. It has been a contributing factor in over 1.7 million data breaches. In total, authorities seized nearly 2,300 domains that served as the command-and-control (C2) backbone for the malware. This daring maneuver pre-emptively hijacked millions of other infected Windows systems.
The U.S. Department of Justice (DoJ) described Lumma Stealer as the “world’s most significant infostealer threat,” highlighting the urgency of addressing its spread. The operation was carried out with several international partners, including Europol, as a statement of multinational cooperation and defiance against increasing cyber threats.
The Mechanics of Lumma Stealer
Lumma Stealer operates using a malware-as-a-service (MaaS) model. This development makes it possible for its developer to market the malware via subscriptions costing anywhere from $250 to $1,000. A full-service premium plan runs $20K. It provides customers with access to the source code as well as the means to resell it to other cybercriminals.
The malware’s main binary employs some very complicated obfuscation methods. It uses low-level virtual machine (llvm core), Control Flow Flattening (CFF) and customized stack decryption. These steps would prevent security software from easily discovering and shutting down the threat.
“We have done a lot of work over two years to achieve what we have now,” – Shamel (Lumma developer).
Lumma Stealer’s distribution infrastructure is varied and versatile. It takes advantage of phishing schemes, malvertising, drive-by downloads, and trusted platforms to deliver its payloads. Moreover, Lumma Stealer’s operators have launched a dedicated marketplace on Telegram, through which affiliates can cut out the middleman and sell stolen data directly to buyers.
Rising Threat Level
Between April and June 2024, cybersecurity researchers detected over 21,000 fraudulent marketplace listings. These listings were moving Lumma Stealer logs on several different threat actor forums. This was a jaw-dropping 71.7% jump from that period last year.
Specifically, the flexibility of Lumma Stealer’s distribution methods has been a major key in its rapid proliferation. Malware often lurks in illegitimate or pirated software copies. The proposal goes after those users most egregiously attempting to circumvent valid licensing payments. Lumma Stealer’s strategy makes it appealing to people looking for budget options. In doing so, they undermine their own security.
“The primary developer of Lumma is based in Russia and goes by the internet alias ‘Shamel’,” – Steven Masada.
According to a recent announcement from Microsoft, they found over 394,000 Windows PCs infected with Lumma malware. This detection, which was both global and continuous, lasted from March 16 – May 16, 2025. This staggering number reflects the urgent need for ongoing vigilance and proactive measures from both cybersecurity firms and law enforcement agencies.
Impact of the Disruption
Following the global operation that seized Lumma Stealer’s online infrastructure, authorities have noted a significant decrease in the malware’s activity. Experts warn that traces of the threat could continue to persist.
“While we are still seeing some Lumma Stealer activity, it has significantly decreased following the disruption,” – Selena Larson.
Lumma’s developers are currently addressing shortcomings within their operational security. They are planning a more sophisticated sequel, even after the confiscation and defacement of some of their most important domains. This flexibility demonstrates the rapid resilience of cybercriminal business models.
“This disruption worked to fully setback their operations by days, taking down a significant number of domain names, and ultimately blocking their ability to make money by committing cybercrime,” – Blake Darché.
Law enforcement agencies are still dedicated to working together to stay tuned to what needs to be looked at closely. So too are they resolved to prevent any return of Lumma Stealer or other dangers. They understand that cybercrime is ever-changing and requires their continuous attention.