Lumma Stealer Infrastructure Behind Global Attacks on Millions of Users Dismantled

The U.S. Justice Department, in collaboration with the FBI and private sector partners like Microsoft, has announced the disruption of the Lumma Stealer (also known as LummaC2) malware infrastructure.

This global operation targeted the notorious Malware-as-a-Service (MaaS) platform, which has been linked to over 1.7 million instances of data theft worldwide.

The unsealing of two warrants enabled the seizure of five critical internet domains used as user panels for deploying Lumma Stealer, a prolific infostealer malware designed to harvest sensitive information such as login credentials, browser data, autofill details, and cryptocurrency seed phrases.

This action, coupled with Microsoft’s independent civil suit to take down an additional 2,300 related domains, marks a decisive step in curbing one of the most active cyber threats in recent years.

Justice Department & Major Cybercrime Network

The operation, detailed in court documents and affidavits, revealed the sophisticated nature of Lumma Stealer’s ecosystem.

Operated through a subscription-based model with tiers ranging from $250 to $1,000 per month, the platform provided affiliates with access to regularly updated malware builds and a shared exfiltration network.

The seized domains functioned as login portals for user panels, enabling cybercriminals to manage and deploy the malware, which targeted email, banking, and cryptocurrency services.

On May 19, 2025, the government seized two primary domains, prompting LummaC2 administrators to set up three replacement domains the following day.

However, these were also swiftly seized on May 21, 2025, severely disrupting the malware’s operational infrastructure.

Visitors to these sites now encounter a Justice Department notice confirming the seizure, effectively halting further malicious activity through these channels.

Infostealer Malware Operations

ESET, a key partner in this disruption, provided extensive technical analysis by processing tens of thousands of Lumma Stealer samples to extract critical data such as Command-and-Control (C&C) server domains and affiliate identifiers.

Their telemetry highlighted the malware’s global reach, with detection rates showing no region untouched since July 2024.

Lumma Stealer’s infrastructure relied heavily on Cloudflare services to obscure its C&C servers, alongside dead-drop resolvers on platforms like Steam and Telegram for backup communication.

The malware’s evolution included advanced encryption methods like ChaCha20 for protecting C&C lists and dynamic configurations, alongside obfuscation techniques such as indirect control flow flattening and encrypted stack strings to evade detection.

This operation not only dismantled key components of the exfiltration network but also underscored the persistent threat of infostealers as precursors to more devastating attacks like ransomware, where stolen credentials are sold to other threat actors.

According to the Report, Statements from Justice Department officials emphasized their commitment to leveraging unique tools and partnerships to combat cybersecurity threats.

Sue J. Bai, head of the National Security Division, praised the collaborative effort, while Matthew R. Galeotti of the Criminal Division highlighted the malware’s role in enabling crimes like fraudulent bank transfers.

The FBI’s Bryan Vorndran reiterated their focus on disrupting critical cybercriminal services.

Additionally, the U.S. Department of State’s Rewards for Justice program offers up to $10 million for information on foreign government-linked cyber actors targeting U.S. critical infrastructure, reinforcing the global scope of this fight against cybercrime.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!