On May 19 and 20, global law enforcement agencies and private firms worked together to shut down the command-and-control backbone of a data-stealing malware known as Lumma (also called LummaC or LummaC2).
Over these two days, authorities seized 2,300 domains that cybercriminals used to control infected Windows systems and harvest sensitive information.
Scope of Lumma’s Operation
Lumma Stealer has been active since late 2022. It is designed to pilfer credentials, browser data, autofill information, and cryptocurrency seed phrases from victims.
The U.S. DoJ estimates that the malware has been used in at least 1.7 million attacks. The FBI attributes roughly 10 million infections worldwide to Lumma.
Criminal affiliates deployed the malware on millions of computers, enabling a wide range of digital thefts, including fraudulent bank transfers and crypto heists.
Law Enforcement Coordination
The coordinated effort involved the U.S. DoJ, the Federal Bureau of Investigation, Europol, Japan’s Cybercrime Control Centre, and several private sector partners.
By pooling resources and information, these groups were able to identify and seize the vast network of domains that Lumma operators relied upon. According to the DoJ, removing this infrastructure will disrupt ongoing attacks and hinder future operations.
Microsoft’s Role
Microsoft’s Digital Crimes Unit (DCU) played a critical role. The company filed a legal action last week after detecting nearly 400,000 Windows PCs infected with Lumma in just two months.
Microsoft traced the malware to servers hosting the stolen data and, with a court order from the U.S. District Court for the Northern District of Georgia, helped suspend and block malicious domains.
The DCU’s technical analysis revealed that Lumma could also install additional malware on victim machines, further jeopardising user security.
Also Read: NASAA Report Names Crypto and Social Media Fraud as Leading Threat for 2025: Details Below
Domain Seizures and Quick Response
Authorities first seized two key domains on May 19. In retaliation, Lumma operators created three new domains on May 20. The next day, law enforcement moved swiftly to seize those as well.
Anyone attempting to visit these sites now sees a notice from the DoJ explaining the domain seizure. By striking quickly, officials prevented criminals from reestablishing their command-and-control channels.
Impact on Victims and Future Risks
Millions of users around the world were at risk of having their personal and financial data stolen. With Lumma’s infrastructure disabled, infected systems can no longer communicate with the servers that collect their data.
However, researchers warn that cybercriminals may try to rebuild their networks or switch to other malware strains. The takedown will provide temporary relief, but ongoing vigilance is needed to protect users from similar threats.
This operation highlights the importance of public-private cooperation in combating cybercrime.