Lumma Stealer Takedown Reveals Sprawling Operation - Dark Reading

Cybersecurity OperationsCyber RiskThreat IntelligenceVulnerabilities & ThreatsNewsLumma Stealer Takedown Reveals Sprawling OperationThe FBI and partners have disrupted "the world's most popular malware," a sleek enterprise with thousands of moving parts, responsible for millions of cyberattacks in every part of the world.Tara Seals,Managing Editor, News,Dark ReadingMay 21, 20254 Min ReadSource: Alan Wilson via Alamy Stock Photo The Lumma Stealer malware operation has gone dark, thanks to a coordinated law-enforcement effort that seized five Internet domains that its operators use to distribute the data-thieving binary to cybercriminal customers and affiliates.In addition to the five Internet domains that hosted the user panels for malware-as-a-service clients, Microsoft separately led a takedown of 2,300 domains that hosted other parts of the Lumma Stealer infrastructure, sinkholing their traffic for analysis.Lumma Stealer (aka LummaC2) is a commercial malware built for stealing various kinds of credentials and crypto-wallet information, which shows up as part of any and all manner of infosec crimes, including ransomware attacks, cryptocurrency theft, business email compromise (BEC) fraud, account hijacking, cyber espionage, and more. It's offered in a malware-as-a-service model, where cyberattackers can rent the malware in tiered subscriptions that range from $250 to $1,000 per month.Related:Full Sail University to Open IBM Cyber Defense Range Powered by AWS and Cloud Range on Campus"Common targets for cybercriminals using malware like LummaC2 include browser data, autofill information, login credentials for accessing email and banking services, as well as cryptocurrency seed phrases, which permit access to virtual currency wallets," according to a US Department of Justice press statement today announcing the takedown.Lumma Stealer's Multifaceted Cybercrime EmpireIt's a bustling enterprise, according to ESET, which, along with Microsoft, BitSight, Lumen Technologies, Cloudflare, CleanDNS, and GMO Registry, aided the FBI in the takedown. ESET's analysis revealed Lumma Stealer developers were hyperactively developing and maintaining their malware, with 74 new domains emerging each week to host new parts of its infrastructure. In all, Lumma Stealer's authors deployed 3,353 unique command-and-control domains within the past year."We have regularly noticed code updates ranging from minor bug fixes to complete replacement of string encryption algorithms and changes to the network protocol," according to an ESET blog post published today. "The operators also actively maintained the shared exfiltration network infrastructure."Weekly counts of new C2 domains. Source: ESETAccording to the US Department of Justice, which also coordinated with Europol's European Cybercrime Center (EC3) as well as Japan's Cybercrime Control Center (JC3), Lumma Stealer is not just in demand but is actually the most popular infostealer service available in Dark Web markets, responsible for 1.7 million known attacks against victims. One reason for its popularity might be its creators' dedication to offering a professional one-stop shop.Related:RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever"The operators of Lumma Stealer have also created a Telegram marketplace with a rating system for affiliates to sell stolen data without intermediaries," according to ESET. It added, "harvested credentials are a valued commodity in the cybercrime underground, sold by initial access brokers to various other cybercriminals, including ransomware affiliates. … Infostealer malware families, like Lumma Stealer, are typically just a foreshadowing of a future, much more devastating attack."According to Jakub Tomanek, malware analyst at ESET, the takedown operation should have a significant impact not only on those at risk for infection but also those who are already compromised."Disrupting a malware family of this scale has always had a significant impact, helping to protect both current and potential victims across the globe," he tells Dark Reading. "By sinkholing domains to Microsoft's backend, this operation provides substantial visibility into active infections and will enhance the security of hundreds of thousands of compromised devices."ESET's Lumma Stealer detection rates around the world. Source: ESETJames Shank, director of threat operations at Expel, noted that while the action is welcomed, history teaches us that such disruptions don't always last, so it's likely to be an ongoing effort.Related:Human vs. AI: Debates Shape RSAC 2026 Cybersecurity Trends"Time will tell if this latest effort has a lasting impact," he said in a statement. "And let's hope that arrests come quickly to further reduce the threats posed by the criminals behind Lumma."Tomanek points out that there's also brand damage for Lumma Stealer to recover from, creating a unique challenge for staging any sort of resurgence."Setting aside the technical damage, this disruption operation also targeted the operator's reputation among their affiliates," he says. "The success and revenue of the Lumma Stealer operators heavily relied on the size and loyalty of their affiliate network. While the operators may attempt to rebuild their infrastructure from scratch, they will need to regain the trust of their affiliates in order to recover."Don't miss the latest Dark Reading Confidential podcast, The Day I Found an APT Group in the Most Unlikely Place, where threat hunters Ismael Valenzuela and Vitor Ventura share stories about the tricks they used to track down advanced persistent threats and the surprises they discovered along the way. Listen now!About the AuthorTara SealsManaging Editor, News, Dark ReadingTara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.See more from Tara SealsWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsAI SOC for MDR: The Structural Evolution of Managed Detection and ResponseHow Enterprises Are Developing Secure Applications2026 CISO AI Risk ReportQKS AI Maturity MatrixKuppingerCole Business Application Risk Management Leadership CompassAccess More ResearchWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningZero Trust Architecture for Cloud environments: Implementation RoadmapTips for Managing Cloud Security in a Hybrid Environment?Security in the AI AgeIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpMore WebinarsYou May Also LikeCybersecurity OperationsChina Imposes One-Hour Reporting Rule for Major Cyber Incidentsby Robert Lemos, Contributing WriterOct 01, 2025Cybersecurity OperationsWomen Who 'Hacked the Status Quo' Aim to Inspire Security Careersby Elizabeth Montalbano, Contributing WriterJul 16, 2025Cybersecurity OperationsFormer CISA Head Slams Trump Admin Over 'Loyalty Mandate'by Alexander Culafi, Senior News Writer, Dark ReadingApr 30, 2025Cyberattacks & Data BreachesDeepSeek Breach Opens Floodgates to Dark Webby Emma ZaballosApr 22, 2025Editor's ChoiceCybersecurity OperationsRSAC 2026: AI Dominates, But Community Remains Key to SecurityRSAC 2026: AI Dominates, But Community Remains Key to SecuritybyKristina Beek,Rob WrightApr 2, 2026Threat IntelligenceAxios Attack Shows How Complex Social Engineering Is IndustrializedAxios Attack Shows How Complex Social Engineering Is IndustrializedbyAlexander CulafiApr 6, 20265 Min ReadICS/OT SecurityIranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCsIranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCsbyElizabeth MontalbanoApr 8, 20264 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningMon, May 11, 2026 at 1:00pm ETTips for Managing Cloud Security in a Hybrid Environment?Thurs, May 7, 2026 at 1pm ESTZero Trust Architecture for Cloud environments: Implementation RoadmapTues, May 12, 2026 at 1pm ESTSecurity in the AI AgeTues, April 28, 2026 at 1pm ESTIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpWed, May 6,2026 at 1pm ESTMore WebinarsWhite PapersHow Sunrun Transformed Security Operations with AiStrikeAutonomous Pentesting at Machine Speed, Without False PositivesBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersBlack Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASSGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space