Lumma Stealer toppled by globally coordinated takedown | CyberScoop<\/title> <meta name=\"description\" content=\"Global law enforcement authorities and Microsoft seized or disrupted the prolific infostealer\u2019s central command infrastructure, malicious domains and marketplaces where the malware was sold.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/lumma-stealer-infostealer-takedown\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Lumma Stealer toppled by globally coordinated takedown\"> <meta property=\"og:description\" content=\"Global law enforcement authorities and Microsoft seized or disrupted the prolific infostealer\u2019s central command infrastructure, malicious domains and marketplaces where the malware was sold.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/lumma-stealer-infostealer-takedown\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-05-21T16:00:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1080\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1746040294g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1747327192g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1747161863g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84623\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84623\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Flumma-stealer-infostealer-takedown%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Flumma-stealer-infostealer-takedown%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-84623 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/lumma-stealer-infostealer-takedown\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.810572687225\">\n<div class=\"single-article__header-content\" readability=\"35.314350797267\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/lumma-stealer-infostealer-takedown\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Global law enforcement authorities and Microsoft seized or disrupted the prolific infostealer\u2019s central command infrastructure, malicious domains and marketplaces where the malware was sold. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84623\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"infected file, information stealer, malware\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"57.310167310167\"><body readability=\"116.69144090146\"><\/p>\n<p>Lumma Stealer, a widely used infostealer malware linked to cybercrime sprees and multiple high-profile attacks, was dismantled through a coordinated global operation meant to seize its core infrastructure.<\/p>\n<p>The infostealer\u2019s central command, malicious domains and marketplaces where the tool was sold to other cybercriminals have been seized or suspended, Steven Masada, assistant general counsel at Microsoft\u2019s Digital Crimes Unit, said in a <a href=\"https:\/\/aka.ms\/DCU-Lumma\">blog post<\/a>. <\/p>\n<p>Acting on a court order granted in the U.S. District Court of the Northern District of Georgia, Microsoft seized and blocked about 2,300 malicious domains that served as the backbone of Lumma Stealer\u2019s infrastructure, Masada said. <\/p>\n<p>The Justice Department was responsible for seizing Lumma Stealer\u2019s central command infrastructure and disrupting marketplaces where it was sold, while Europol\u2019s European Cybercrime Center and Japan\u2019s Cybercrime Control Center worked to suspend locally based infrastructure, according to Microsoft.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Since it first appeared in 2022, Lumma Stealer has established a widespread presence across global networks. The infostealer, which developers continually improved, was used to siphon credentials and other sensitive information via phishing and other means.<\/p>\n<p>The infostealer was one of a few malware-as-a-service outfits linked to <a href=\"https:\/\/cyberscoop.com\/as-many-as-165-companies-potentially-exposed-in-snowflake-related-attacks-mandiant-says\/\">data theft and extortion attacks on Snowflake customers<\/a> last year. Compromised accounts did not have multi-factor authentication access controls enabled. <\/p>\n<p>Lumma was also used in attacks on gaming communities, education systems and critical infrastructure organizations in the manufacturing, telecommunications, logistics, finance and health care sectors.<\/p>\n<p>Microsoft said it identified more than 394,000 Windows computers globally infected by Lumma over a two-month period, ending last week. Researchers at Flashpoint said <a href=\"https:\/\/cyberscoop.com\/infostealers-cybercrime-surged-2024-flashpoint\/\">Lumma Stealer infected 1.8 million hosts or devices<\/a> last year. <\/p>\n<p>Infostealers were used to steal 2.1 billion credentials last year, accounting for nearly two-thirds of 3.2 billion credentials stolen from all organizations, Flashpoint said in a report it released in March.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Microsoft described Lumma as easy to distribute, difficult to detect and programmed to bypass some security defenses. The infostealer is a \u201cgo-to-tool for cybercriminals and online threat actors, including prolific ransomware actors such as Octo Tempest,\u201d which is also known as Scattered Spider, Masada said. <\/p>\n<p>\u201cWorking with law enforcement and industry partners, we have severed communications between the malicious tool and victims,\u201d Masada said. \u201cThis joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream.\u201d<\/p>\n<p>Cybersecurity and tech companies ESET, Bitsight, Lumen, Cloudflare, CleanDNS and GMO Registry assisted with the takedown effort.<\/p>\n<p>Lumma\u2019s primary developer, \u201cShamel,\u201d is based in Russia and offered different tiers of service on Telegram and other Russian-language forums, allowing cybercriminals to create their own versions of the malware, according to Microsoft.<\/p>\n<p>While takedown efforts, especially ones this expansive, significantly hamper cybercrime facilitators to maintain operations, they don\u2019t give up easily. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cAs anticipated, our investigators have already observed the threat actor attempt to rebuild their infrastructure,\u201d a Microsoft spokesperson told CyberScoop. <\/p>\n<p>\u201cHowever, with a court order and because of close coordination with partners, we\u2019re able to immediately dismantle new infrastructure as it is established. Our goal is to make the rebuilding process as challenging as possible for Lumma, ultimately forcing them to cease their efforts entirely,\u201d the spokesperson added.<\/p>\n<p>Masada added that \u201cby severing access to mechanisms cybercriminals use, such as Lumma, we can significantly disrupt the operations of countless malicious actors through a single action. We know cybercriminals are persistent and creative. We, too, must evolve to identify new ways to disrupt malicious activities.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6367346938776\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-stealer-toppled-by-globally-coordinated-takedown-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/lumma-stealer-infostealer-takedown\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lumma Stealer toppled by globally coordinated takedown | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,338,2145,117,3914,625,2435,46,1],"tags":[286,86,341,2147,119,3918,630,2436,54,325],"class_list":["post-7663","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-department-of-justice-doj","category-europol","category-government","category-infostealers","category-microsoft","category-microsoft-digital-crimes-unit","category-ransomware","category-uncategorized","tag-cybercrime","tag-cybersecurity","tag-department-of-justice-doj","tag-europol","tag-government","tag-infostealers","tag-microsoft","tag-microsoft-digital-crimes-unit","tag-ransomware","tag-uncategorized"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-justice-doj\/\" rel=\"category tag\">Department of Justice (DOJ)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/europol\/\" rel=\"category tag\">Europol<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/infostealers\/\" rel=\"category tag\">infostealers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft-digital-crimes-unit\/\" rel=\"category tag\">Microsoft Digital Crimes Unit<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7663"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7663\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7663,"date":"2025-05-21T11:00:00","date_gmt":"2025-05-21T16:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84623"},"modified":"2025-05-21T11:00:00","modified_gmt":"2025-05-21T16:00:00","slug":"lumma-stealer-toppled-by-globally-coordinated-takedown","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/05\/21\/lumma-stealer-toppled-by-globally-coordinated-takedown\/","title":{"rendered":"Lumma Stealer toppled by globally coordinated takedown"},"content":{"rendered":"