Lumma Stealer Malware-as-a-Service operation disrupted

A coordinated action by US, European and Japanese authorities and tech companies like Microsoft and Cloudflare has disrupted the infrastructure behind Lumma Stealer, the most significant infostealer threat at the moment.

What is Lumma Stealer?

Lumma Stealer is Malware-as-a-Service offering beloved by a wide variety of threat actors.

The malware is able to steal credentials, financial data, and personal information, which is then sold through a dedicated marketplace. It’s also able to deliver additional malicious payloads.

It is usually delivered to victims via malvertising and fake/deceptive downloads.

“The primary developer of Lumma is based in Russia and goes by the internet alias ‘Shamel.’ Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums. Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal,” explained Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit.

“In an interview with cybersecurity researcher ‘g0njxa’ in November 2023, Shamel shared that he had ‘about 400 active clients.’”

Between March 16, 2025, and May 16, 2025, Microsoft identified 394,000+ Windows computers around the world that have been infected by the malware.

Down, but surely not out

Lumma Stealer infections across Windows devices (Source: Microsoft DCU)

During this operation, more than 1,300 domains have been seized by or sinkholed by Microsoft.

“In a coordinated move, the United States Department of Justice (DOJ) seized the Lumma control panel, which was critical to the Lumma marketplace,” Europol noted.

Lumma Stealer also abused a feature of Cloudflare’s infrastructure that hides Cloudflare’s customers’ origin IP addresses from website visitors, to make DDoS and other attacks more difficult. They used it to hide the origin IP address of the server that criminals used to collect files and credentials stolen by malware.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it,” Cloudforce’s threat operations and research team explained.

This new interstitial warning page was put in front of the malicious actors’ command and control server domains and Lumma’s Marketplace domains.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudforce said, and offered advice on how enterprises can layer defenses to defending themselves against Lumma Stealer and other infostealers.

The organizations involved in the joint action include the US DoJ, Europol, Japan’s Cybercrime Control Center (which helped suspend Lumma infrastructure in Japan), Microsoft’s Digital Crimes Unit, Cloudflare, Lumen Technologies, Bitsight, ESET, CleanDNS, GMO Registry, and Orrick.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!