In a major international operation, law enforcement and cybersecurity experts have taken down the infrastructure behind Lumma Stealer, one of the world’s most active malware networks. The U.S. Department of Justice, in partnership with Microsoft and other cybersecurity firms, announced the seizure of around 2,300 internet domains linked to this cybercrime operation.
Lumma Stealer, also called LummaC2, has been used to steal personal data from millions of users worldwide. The malware targeted sensitive information such as login credentials, cryptocurrency wallet details, and banking data.
FBI investigations revealed that Lumma Stealer had been deployed in at least 1.7 million attacks. Stolen information was sold on underground markets, fueling other cybercrimes.
Subscription-Based Malware Service
According to court documents, Lumma Stealer operated on a subscription model. Hackers could pay between $250 and $1,000 per month to access the malware and its features. Higher-tier subscriptions offered more advanced tools, better ways to hide activity, and early access to new functions.
Broad Collaboration Led to Seizure
The operation was made possible by the collaboration of several organizations, including ESET, BitSight, Lumen, Cloudflare, CleanDNS, GMO Registry, and Microsoft. The Justice Department seized five key domains that acted as control panels for Lumma Stealer, cutting off access to the malware’s core systems.
In parallel, Microsoft filed a civil suit to take control of the wider network of 2,300 domains. These domains had been used to manage the spread of Lumma Stealer and to maintain its infrastructure.
“The Department will continue to use its tools and partnerships to stop malicious cyber operations,” said Sue J. Bai of the Justice Department’s National Security Division.
Technical Sophistication and Global Reach
ESET researchers noted that Lumma Stealer used advanced encryption methods to hide its operations. Until January 2025, it used XOR encryption combined with base64 encoding. In early 2025, it upgraded to ChaCha20 encryption, making detection even harder.
The malware also used backup systems. If its main command servers were offline, it could get new instructions through Steam profile names or Telegram channel titles. These were disguised using a simple Caesar cipher (ROT11), making it difficult to trace.
This redundancy allowed Lumma Stealer to continue operating even when parts of its network were shut down.
Impact on Cybercrime
The takedown is seen as a major win in the fight against cybercrime. Lumma Stealer was often the first tool used in larger cyberattacks. Its reach was truly global, with activity recorded in every region.
“We targeted the most popular infostealer service on the dark web,” said FBI Assistant Director Bryan Vorndran. “Thanks to strong public-private cooperation, we disrupted the LummaC2 infrastructure and made it harder for criminals to do harm.”
