In early May, a globally coordinated operation was launched to curb the activities of Lumma Stealer, a malware offered as a service to steal personal and corporate information. The outcome was decisive: thousands of domains were confiscated and a key part of its infrastructure was dismantled.
The operation was made possible through the joint efforts of several tech companies and law enforcement agencies. In fact, on May 13, 2025, Microsoft, after filing a legal complaint, managed to seize around 2,300 domains linked to this threat.
But that wasn’t all. The U.S. Department of Justice (DOJ) also took action and succeeded in shutting down Lumma's control panel—a platform criminals used to manage the malware. Meanwhile, Europol and Japan’s Cybercrime Control Center (JC3) collaborated to seize servers operating from Europe and Asia.
Between March 16 and May 16, Microsoft detected over 394,000 Windows devices infected with Lumma Stealer worldwide. “In coordination with law enforcement and our partners, we completely cut off communication between the malware and its victims,” explained Steven Masada, legal advisor for Microsoft’s Digital Crimes Unit.
Thanks to this operation, the cybercriminals using Lumma can no longer access the system used to control the stolen data or the infrastructure used to distribute the malware. This forces them to start from scratch and delivers a significant technical and financial blow, according to Cloudflare, another company involved in the effort.
In addition to Microsoft and Cloudflare, ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and the global law firm Orrick also participated in the operation. A collective effort that showcases what can be achieved when the private sector and authorities join forces to combat cybercrime.
Domain Seizure Banner (Source: Microsoft)
Lumma Stealer found a way to exploit Cloudflare’s own services to better conceal itself. Specifically, it used them to hide the real IP addresses of its servers, making detection more difficult while continuing to steal user credentials and data.
Although Cloudflare managed to suspend several domains linked to this malicious operation, the malware was still able to bypass the warning pages the company displayed to alert visitors about dangerous sites. This prompted Cloudflare’s Trust and Safety team to implement stricter measures to prevent further data theft.
“We detected these domains over and over again, and suspended their accounts each time,” Cloudflare explained in a report. But the problem escalated in February 2025, when the malware began circumventing Cloudflare’s interactive warnings, which were designed to deter traffic to malicious pages.
The solution? Cloudflare upgraded its defenses and added its Turnstile system (a kind of human verification) to the warnings. As a result, the malware could no longer bypass that barrier as easily.
Read more: Cloudflare Defends the Internet from Record-Breaking DDoS Attacks
Lumma, also known as LummaC2, is not just any malware. It's an infostealer—a type of software specifically designed to steal all kinds of personal and confidential information. What’s most alarming is that it’s offered as a subscription service, like a “Netflix for cybercriminals,” with prices ranging from $250 to $1,000 depending on the plan.
This malware targets both Windows and macOS and comes equipped with advanced features to evade antivirus detection and steal data. How is it distributed? Through a wide variety of channels: GitHub comments, deepfake websites, malicious ads—essentially any online space that can lure unsuspecting clicks. Once a device is infected, Lumma can extract:
Saved passwords
Browser cookies
Session tokens
Credit card information
Cryptocurrency wallet data
Browsing history
It then packages all of this data and sends it to servers controlled by the attackers, who either sell the information on dark web forums or use it to launch further attacks.
Read more: The Best Programming Languages for Cybersecurity
Lumma first emerged in December 2022 on cybercrime forums and quickly gained popularity. According to data from KELA, it soon became one of cybercriminals' favorite tools.
And it’s easy to see why. According to IBM X-Force’s 2025 intelligence report, credentials stolen by infostealers rose by 12% over the past year. Even more concerning, there was an 84% increase in phishing campaigns distributing this type of malware, with Lumma topping the list by a wide margin.
Lumma Infection Heatmap (Source: Microsoft)
Lumma Isn’t Just a Nuisance Malware—It Has Fueled Massive Malvertising Campaigns That Have Infected Hundreds of Thousands of Computers Worldwide
Lumma has been used by both small criminal groups and well-known collectives like Scattered Spider, infamous for large-scale cyberattacks. Its impact extends far beyond just stealing credentials.
The worst part is that the data stolen with this type of malware doesn’t just sit idle in obscure forums. In recent months, it has been directly linked to serious security breaches at major organizations like PowerSchool, HotTopic, CircleCI, and Snowflake—all of which handle millions of users or highly sensitive data.
But it doesn’t stop at account theft. The stolen credentials have also been used to infiltrate corporate networks and cause even more damage. One alarming example: attackers hijacked the RIPE account of Orange Spain and tampered with its internet routing settings (BGP and RPKI), which can severely destabilize how internet traffic is directed.
In short, Lumma doesn’t just steal data—it opens the door to much more serious and dangerous attacks, ranging from unauthorized access to potential chaos in a company’s entire internet infrastructure.