Europol’s European Cybercrime Center, together with Microsoft, has shut down Lumma Stealer («Lumma»), the world’s largest data theft threat. Here are the details.
Europol’s European Cybercrime Center, together with Microsoft, has shut down Lumma Stealer («Lumma»), the world’s largest data theft threat. Here are the details.
This joint operation was directed against a complex ecosystem that allowed criminals to massively exploit stolen information.
Between March 16 and May 16, 2025, Microsoft detected over 394,000 Windows computers worldwide infected with the Lumma malware.
This week, in a coordinated follow-up operation, Microsoft’s Digital Crime Unit (DCU), Europol, European and Japanese law enforcement agencies, as well as ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry compromised Lumma’s technical infrastructure, cutting off communication between the malicious tool and its victims. In addition, more than 1,300 domains that were removed or transferred to Microsoft will be redirected to Microsoft’s dedicated servers, which allow us to securely intercept requests from infected systems, obtain technical information about the attacks, and identify the types of data stolen.
Microsoft warns that Lumma may be relaunched under a new name, or another infostyler may take its place.
Lumma, the world’s largest data stealer, was a sophisticated tool that allowed cybercriminals to harvest sensitive data from compromised devices en masse. The stolen credentials, financial data, and personal information were collected and sold through a dedicated marketplace, making Lumma a central tool for identity theft and fraud worldwide.
The Lumma Marketplace operated as a hub for buying and selling malware, giving criminals convenient access to advanced data-stealing capabilities. Its widespread use and accessibility made it a top choice for cybercriminals looking to exploit personal and financial data.
Lumma’s developer is a Russian who goes by the pseudonym Shamel. In November 2023, in an interview with researcher «g0njxa», Shamel reported that he had about 400 active customers. He created an entire Lumma brand, with a logo in the form of a bird, symbolizing «peace and ease», and the slogan: «With us it is easy to earn money.»
According to Steven Masada, deputy general counsel of Microsoft’s Digital Crimes Division, Lumma was a typical example of Malware-as-a-Service. Since 2022, it has been sold through underground Russian-language forums, as well as through Telegram. Buyers could customize their own versions: change the config, encrypt the code, track the collected data through a convenient admin panel. Lumma disguised itself as legitimate services, in particular, Booking.com, and spread through phishing emails and advertisements with embedded malicious code.
Researchers at Cato Networks said in a report published Wednesday that Lumma played a role in a February campaign that used Tigris and Oracle object storage services to host malicious websites.
«Attackers love credential theft because it allows them to target less secure personal devices that store corporate credentials and tokens,» said Christopher Russo, principal threat researcher at Palo Alto Networks’ Unit 42. «Primary access brokering is big business, allowing attackers to harvest credentials on a large scale with minimal risk.»
Lumma has also been linked to the notorious cybercrime group Scattered Spider.
