The Justice Department, along with Microsoft and international partners, has disrupted the infrastructure of a popular cybercrime tool known as “Lumma Stealer,” according to Microsoft’s Digital Crimes Unit (DCU).
In a May 21 blog post, the DCU explained that Lumma Stealer – or Lumma – is the preferred info-stealing malware used by hundreds of cyber threat actors. The malware has been around since 2022 and steals passwords, credit card data, bank accounts, and cryptocurrency wallets.
“Via a court order granted in the United States District Court of the Northern District of Georgia, Microsoft’s DCU seized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure,” Steven Masada, assistant general counsel in Microsoft’s DCU, wrote in the blog post.
“The Department of Justice (DOJ) simultaneously seized the central command structure for Lumma and disrupted the marketplaces where the tool was sold to other cybercriminals,” Masada said. “Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) facilitated the suspension of locally based Lumma infrastructure.”
Cybersecurity companies including ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry helped take down the online infrastructure.
Microsoft said it identified over 394,000 Windows computers globally infected by the Luma malware between March 16 and May 16. Working with law enforcement and its industry partners, the company has cut communications between the tool and victims.
Notably, Microsoft said over 1,300 of the captured domains will be redirected to Microsoft “sinkholes.” This prevents victims from connecting to the malicious server and redirects them to a safe, controlled server. Microsoft’s DCU can then gather insights from the sinkholes to assist public- and private-sector partners as they continue to remediate this threat.
“This joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream,” Masada said.
“By severing access to mechanisms cybercriminals use, such as Lumma, we can significantly disrupt the operations of countless malicious actors through a single action,” he added.
Lumma malware impersonates trusted brands – including Microsoft – and is deployed through vectors such as spear-phishing emails and malvertising. Its developers have released multiple versions to continually improve the tool’s capabilities over the years, making it particularly dangerous.
Microsoft stressed the importance of continued collaboration across industry and government, as well as the need to “evolve to identify new ways to disrupt malicious activities.”
“Microsoft’s DCU will continue to adapt and innovate to counteract cybercrime and help ensure the safety of critical infrastructure, customers, and online users,” Masada concluded.