Lumma infostealer infected about 10 million systems before global disruption | CyberScoop<\/title> <meta name=\"description\" content=\"Cybercriminals used the prolific malware to target individuals and businesses, including Fortune 500 companies, according to the FBI.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/lumma-infostealer-widespread-victims\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Lumma infostealer infected about 10 million systems before global disruption\"> <meta property=\"og:description\" content=\"Cybercriminals used the prolific malware to target individuals and businesses, including Fortune 500 companies, according to the FBI.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/lumma-infostealer-widespread-victims\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-05-21T20:22:50+00:00\"> <meta property=\"article:modified_time\" content=\"2025-05-21T20:22:52+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1746040294g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1747327192g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1747161863g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84633\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84633\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Flumma-infostealer-widespread-victims%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Flumma-infostealer-widespread-victims%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-84633 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/lumma-infostealer-widespread-victims\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.280487804878\">\n<div class=\"single-article__header-content\" readability=\"36.109452736318\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/lumma-infostealer-widespread-victims\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Cybercriminals used the prolific malware to target individuals and businesses, including Fortune 500 companies, according to the FBI. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84633\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"A seal reading "Department of Justice Federal Bureau of Investigation" is displayed on the J. Edgar Hoover FBI building in Washington, DC, on August 9, 2022.\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption.webp?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Photo by STEFANI REYNOLDS\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"51.258864452424\"><body readability=\"106.14557124519\"><\/p>\n<p>LummaC2 infected around 10 million devices and systems, allowing for millions of follow-on attacks, before the information-stealing malware operation was <a href=\"https:\/\/cyberscoop.com\/lumma-stealer-infostealer-takedown\/\">dismantled through a coordinated global operation<\/a> this week, Brett Leatherman, the FBI\u2019s deputy assistant director for cyber operations, said during a media briefing Wednesday. <\/p>\n<p>\u201cSince its inception in 2022, LummaC2\u2019s malware-as-a-service platform rose to become the most prolific information stealer for sale in online criminal markets and used by cybercriminals to conduct attacks against millions of innocent victims,\u201d Leatherman said. <\/p>\n<p>The FBI has identified at least 1.7 million instances where LummaC2 was used to steal usernames, passwords, browser extensions, remote connections, system information, cryptocurrency wallets and seed phrases, and data autofill information, including stored credit cards. <\/p>\n<p>The number of victims linked to LummaC2 increased exponentially and so quickly over the past couple years that officials are still digging through evidence to find and attribute more attacks to the infostealer outfit. The FBI estimates the malware platform facilitated $36.5 million in credit card theft alone in 2023.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>LummaC2, also known as Lumma Stealer, targeted individuals and businesses, including Fortune 500 companies, according to Leatherman. Known victims include airlines, universities, banks, insurance providers, hospitals, state governments and internet service providers. <\/p>\n<p>Authorities and cybersecurity firms that aided in the investigation and takedown of LummaC2\u2019s core infrastructure said the infostealer malware infected systems via social engineering, fake or spoofed software, phishing emails, fraudulent links and fake CAPTCHA deliveries.<\/p>\n<p>The Cybersecurity and Infrastructure Security Agency released <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa25-141b\">technical details<\/a> about how LummaC2 malware infects systems and the operations it conducts to steal data. The malware enabled cybercriminals to bypass endpoint detection and response (EDR) tools and antivirus programs that are designed to track and alert users to phishing attempts or drive-by downloads, the agency said.<\/p>\n<p>Researchers at Cloudflare, one of the security firms that assisted the Justice Department, said Lumma\u2019s operators <a href=\"https:\/\/www.cloudflare.com\/threat-intelligence\/research\/report\/cloudflare-participates-in-joint-operation-to-disrupt-lumma-stealer\/\">collected stolen credentials as logs<\/a>, which were then indexed for sale on a marketplace where criminals could search for and buy potentially lucrative credentials.<\/p>\n<p>Scores of companies \u2014 ESET, Microsoft, Bitsight, Lumen, CleanDNS and GMO Registry \u2014 that helped seize and dismantle Lumma\u2019s domains, central command and control and marketplaces where the malware was sold to other cybercriminals lauded the far-reaching success of the disruption operation.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Yet, despite the U.S. government\u2019s quick seizure Wednesday of three new domains LummaC2 administrators set up to host the user panel the day prior, concerns lingers about the cybercriminal group\u2019s ability to regroup and continue operations.<\/p>\n<p>\u201cWhen we conduct these technical operations, they\u2019re not always permanent,\u201d Leatherman said. <\/p>\n<p>\u201cWe may not eradicate the threat. That\u2019s yet to be seen in any technical operation, but any period of downtime to the actors brings relief to victims, and that\u2019s what we\u2019re looking to do here,\u201d he added. <\/p>\n<p>There\u2019s no guarantee Lumma\u2019s operators won\u2019t reconstitute, but coordinated disruption efforts will continue to target and hinder the group\u2019s technical operation, including its access, capacity and capability to impact more victims, Leatherman said. <\/p>\n<p>\u201cThis is part of a greater law enforcement investigation into the group, and we hope that this will also fracture trust within the ecosystem itself,\u201d he said. \u201cThere\u2019s a financial cost to them being down, but there\u2019s also a reputational cost as well, and we think that everybody operating in this environment should understand that.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.1901785714286\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/05\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/lumma-infostealer-widespread-victims\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lumma infostealer infected about 10 million systems before global disruption<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,452,338,669,117,3914,3162,168],"tags":[286,86,454,341,671,119,3918,3167,169],"class_list":["post-7665","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-justice-doj","category-federal-bureau-of-investigation-fbi","category-government","category-infostealers","category-law-enforcement","category-malware","tag-cybercrime","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-justice-doj","tag-federal-bureau-of-investigation-fbi","tag-government","tag-infostealers","tag-law-enforcement","tag-malware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-justice-doj\/\" rel=\"category tag\">Department of Justice (DOJ)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/federal-bureau-of-investigation-fbi\/\" rel=\"category tag\">Federal Bureau of Investigation (FBI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/infostealers\/\" rel=\"category tag\">infostealers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/law-enforcement\/\" rel=\"category tag\">law enforcement<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a>","tag_info":"Malware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7665"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7665\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7665,"date":"2025-05-21T15:22:50","date_gmt":"2025-05-21T20:22:50","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84633"},"modified":"2025-05-21T15:22:50","modified_gmt":"2025-05-21T20:22:50","slug":"lumma-infostealer-infected-about-10-million-systems-before-global-disruption","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/05\/21\/lumma-infostealer-infected-about-10-million-systems-before-global-disruption\/","title":{"rendered":"Lumma infostealer infected about 10 million systems before global disruption"},"content":{"rendered":"