A major cybersecurity milestone was reached in May 2025 when global tech firms and law enforcement agencies dismantled the Lumma malware network. Microsoft led the operation, seizing over 2,300 domains linked to Lumma’s infrastructure, following a legal offensive launched on May 13. The malware’s core systems were also shut down, severely disrupting its functionality.
This joint effort involved the U.S. Department of Justice, Europol’s EC3, and Japan’s JC3, all working in coordination. The DOJ successfully dismantled Lumma’s control panel, while European and Japanese infrastructure nodes were deactivated with local support.
Cloudflare confirmed that Lumma had exploited their services to obscure server IPs used for data theft. In response, Cloudflare blocked further data exfiltration attempts and integrated advanced countermeasures into its systems.
Malware’s Impact and Response Strategy
Between March and May 2025, over 394,000 Windows devices were reportedly infected with Lumma. Microsoft, alongside key partners, managed to cut communication between the malware and compromised systems. This not only hindered data theft but imposed financial costs on its operators.
Key contributors included cybersecurity firms such as ESET, CleanDNS, and Bitsight, alongside Lumen and legal experts from Orrick. The coordinated actions targeted the infrastructure Lumma relied on to distribute and monetize stolen information.
Understanding Lumma Malware
Lumma, also known as LummaC2, operates under a malware-as-a-service model. It is available for subscription fees ranging from $250 to $1,000. It targets both Windows and macOS platforms, offering tools to steal browser data, login credentials, crypto wallets, and stored payment information.
Distribution techniques include malicious ads, GitHub spam, and fake AI content platforms. After infiltration, the malware extracts and archives sensitive data, transmitting it to attacker-controlled servers.
Originally surfacing in December 2022, Lumma quickly became a favorite in underground forums. According to IBM X-Force, infostealer-based breaches have surged, with a 12% year-over-year increase in dark web credential sales.
Wider Threat Landscape and Future Prevention
Lumma has been behind breaches at PowerSchool, HotTopic, and Snowflake, among others. Its stolen data has not only been sold but also used to manipulate network infrastructures, including high-profile incidents such as the misconfiguration of routing data at Orange Spain.
In light of these risks, the FBI and CISA have published a joint advisory. It includes threat detection guidance and known attack methods tied to Lumma deployments.
