Microsoft has announced an international effort that successfully dismantled the Lumma Stealer malware network, which had infected nearly 394,000 Windows computers worldwide between March 16 and May 16, 2025. This operation was carried out through close collaboration between Microsoft, global law enforcement agencies, judicial authorities, and several technology companies.
Lumma Stealer had become a widely used tool among cybercriminals, prized for its ability to steal a wide array of sensitive information including passwords, credit card details, bank account credentials, and cryptocurrency wallet data.
Microsoft’s Digital Crimes Unit (DCU) described the malware as a “go-to tool for cybercriminals and online threat actors,” noting its ease of distribution and capability to bypass certain security defences. Since its emergence in underground forums in 2022, Lumma’s developers continuously improved its features, making it increasingly difficult to detect and remove.
The takedown was initiated after Microsoft’s DCU obtained a court order from the U.S. District Court for the Northern District of Georgia, allowing the seizure of approximately 2,300 domains that supported Lumma’s command and control infrastructure. Following this, the U.S. Department of Justice took control of the malware’s central servers, effectively disabling the command network used by hackers to manage infected devices.
Europol assisted in the action by supporting the seizure of around 300 domains, while Japan’s Cybercrime Control Centre helped suspend Lumma infrastructure hosted locally. Technology companies including Cloudflare, Bitsight, and Lumen also contributed technical expertise to dismantle the malware’s ecosystem.
More than 1,300 domains associated with Lumma have been redirected to Microsoft-operated “sinkholes”—servers designed to intercept malicious traffic—effectively severing communication between infected computers and the attackers’ control servers. This measure disrupts the malware’s ability to function and limits further victimisation.
Lumma has been involved in numerous cybercriminal campaigns. Microsoft highlighted a March 2025 phishing attack in which criminals impersonated Booking.com to deceive victims into revealing their credentials and financial information. The stolen data was then exploited for fraudulent purposes. Beyond phishing, Lumma has been used to target online gaming communities, educational institutions, manufacturing, logistics, healthcare, and other critical infrastructure sectors. Cybersecurity experts warn that such attacks can cause substantial financial losses and operational disruptions.
Lumma belongs to a growing class of “stealer” malware that has become increasingly prevalent due to its profitability for cybercriminals. These tools are often sold or rented on darknet marketplaces, enabling even less technically skilled attackers to launch sophisticated data theft campaigns. Reports from cybersecurity firms such as Kaspersky and Trend Micro indicate that stealer malware variants have been responsible for a large share of data breaches and credential theft incidents in recent years.