Europol’s European Cybercrime Centre (EC3), in collaboration with Microsoft and law enforcement agencies across multiple countries, has dismantled the technical infrastructure behind Lumma Stealer (“Lumma”), a widely deployed information-stealing malware.
Lumma has been used by cybercriminals targeting sensitive personal and financial data on a massive scale. Sold as a Malware-as-a-Service (MaaS) since 2022, Lumma enabled users to steal credentials, credit card information, bank account details, and cryptocurrency wallets.
Between 16 March and 16 May 2025, Microsoft identified over 394,000 Windows computers infected with the Lumma malware globally. A coordinated takedown operation launched by Microsoft’s Digital Crimes Unit (DCU), Europol, and international partners severed communication lines between infected devices and Lumma’s command-and-control servers.
In total, over 2,300 malicious domains were seized or blocked, including 1,300 domains redirected to Microsoft-controlled “sinkholes” that prevent further malware activity. Notably, 300 of these domains were actioned directly by law enforcement with Europol’s support.
In parallel, the US Department of Justice (DOJ) dismantled the malware’s central command systems and took action against online marketplaces that trafficked in the tool.
Japan’s Cybercrime Control Center (JC3) and Europol helped take down infrastructure located in their jurisdictions. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory highlighting tactics, techniques, and indicators of compromise (IOCs) used by Lumma operators, helping defenders and institutions worldwide to strengthen their defenses.
