Coordinated effort by Microsoft, DOJ, and international partners dismantles infrastructure behind malware that infected nearly 400,000 computers worldwide
Microsoft's Digital Crimes Unit and the U.S. Department of Justice have successfully disrupted LummaC2 (also known as Lumma Stealer), one of the most prolific information-stealing malware services targeting millions of users globally.
The operation resulted in the seizure of approximately 2,300 malicious domains that formed the backbone of Lumma's infrastructure. Microsoft's court-authorised action in the Northern District of Georgia was complemented by the DOJ's simultaneous seizure of five critical domains that served as command centres for the malware operation.
International partners, including Europol's European Cybercrime Centre and Japan's Cybercrime Control Centre, facilitated the suspension of locally based infrastructure.
Between March and May 2025, Microsoft identified over 394,000 Windows computers globally infected by the malware. "The FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information," according to court documents filed by the Justice Department.
LummaC2 operates as a Malware-as-a-Service platform, marketed through underground forums since at least 2022. The service specifically targets sensitive data, including passwords, credit card information, bank account details, cryptocurrency wallets, and browser autofill data.
This stolen information enables criminals to conduct financial fraud, ransomware attacks, and disrupt critical services across sectors, including manufacturing, telecommunications, healthcare, and education.
The malware's sophistication lies in its distribution methods, which include spear-phishing campaigns and malvertising that impersonate trusted brands like Microsoft and Booking.com.
In March 2025, Microsoft Threat Intelligence identified a phishing campaign mimicking the travel booking platform that deployed multiple credential-stealing tools, including Lumma, to facilitate financial theft.
The operation's primary target, known by the alias "Shamel," operates from Russia and has built what cybersecurity experts describe as a criminal enterprise complete with branding, tiered service offerings, and customer support. In a 2023 interview, Shamel claimed to have "about 400 active clients," demonstrating the malware's widespread adoption among cybercriminals.
"Today's disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country," stated Sue J. Bai, head of the Justice Department's National Security Division.
The seized domains will now be redirected to Microsoft sinkholes, allowing the company to gather intelligence and continue protecting users. Organisations can protect themselves by implementing multi-factor authentication, maintaining updated anti-malware software, and exercising caution with email attachments and links.
This collaborative effort between government agencies and private sector partners demonstrates the evolving approach to combating sophisticated cyber threats that operate across international boundaries.