Skip to main content
close search
site logo

Microsoft leads international takedown of Lumma Stealer

The Lumma infostealer malware is a popular way for hackers to steal passwords, credit cards and cryptocurrency wallets.

Published May 21, 2025
David Jones's headshot
Reporter
Microsoft building with logo
HJBC via Getty Images

Microsoft’s Digital Crimes Unit (DCU) on Wednesday announced an international operation to disrupt Lumma Stealer, a variant of infostealing malware that is popular with criminal gangs and other threat actors worldwide.

Hackers have used Lumma to steal passwords, credit cards, bank account information and cryptocurrency wallets in major attack campaigns in recent years, Steven Masada, assistant general counsel at Microsoft’s DCU, said in a blog post.

Between March 16 and May 16, Microsoft identified more than 394,000 Windows computers infected with Lumma. After obtaining a court order from the U.S. District Court for the Northern District of Georgia, Microsoft seized 2,300 domains that formed the backbone of Lumma’s infrastructure. The U.S. Department of Justice also seized Lumma’s central command structure and disrupted online marketplaces that sold Lumma.

“As we note in our blog, Lumma is easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses, making it a go-to tool for cybercriminals and online threat actors,” a Microsoft spokesperson told Cybersecurity Dive. “It is used by cybercriminals as an efficiency tool to gain initial access to accounts or sensitive information so that they can facilitate other types of cybercrime like ransomware and fraud.”

Officials said the main developer of Lumma is based in Russia and operates under the online name “Shamel.”

Lumma has played a role in some of the biggest infostealing operations in recent years. Microsoft in March observed Lumma being used in the attacks on Booking.com.

Lumma has also been linked to the notorious cybercrime gang Scattered Spider.

Cato Networks researchers said in a report published Wednesday that Lumma played a role in a February campaign that used Tigris and Oracle’s object storage services to host malicious websites.

"Threat actors love infostealers because [they allow] them to target less secure personal devices that have corporate credentials and tokens saved and cached,” said Kristopher Russo, principal threat researcher at Palo Alto Networks’ Unit 42. “Initial access brokering is big business and allows threat actors to harvest credentials at scale with minimal risk.” 

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Anvil Secure Appoints John Collins as Chief Revenue Officer Amid Shifting Information Security…
From Anvil Secure
May 07, 2025
Anvil Secure logo
Bitcoin Tops $104K as Cloud Mining Gains Momentum — JA Mining Offers Regulated Entry Point and…
From JAMining
May 17, 2025
JAMining logo
Fraud on the Rise: Highway Blocks 400,000 Scams in Q1 2025
From Highway
May 19, 2025
Highway logo
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.