Key Findings:

• The takedown achieved a significant disruption to Lumma infostealers’ infrastructure, but likely didn’t permanently affect most of its Russia-hosted infrastructure.
  • Lumma’s developers are undertaking significant efforts to reinstate the activity and to conduct business as usual.
  • There seems to be a significant reputational damage to the Lumma infostealer, and the key factor for the infostealer to resume regular activity will be the reputational factors (rather than the technological).

On May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners, announced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of the most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by common cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several prominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider.
The Takedown on the Dark Web

According to the reports, the takedown operation began on May 15. On that day, Lumma customers flooded dark web forums that advertise the stealer, complaining they were unable to access the malware’s command and control (C2) servers and management dashboards.

Hackers are distributing close to 1,000 web pages mimicking Reddit and the WeTransfer file sharing service that lead to downloading the Lumma Stealer malware.

A large-scale malvertising campaign distributed the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot.

Cybersecurity experts uncover the infamous Lummac Stealer malware, disguised as an OnlyFans "Checker" tool, targeting hackers.

Ontinue Cyber Defenders have observed an uptick in activities related to the LummaC2 infostealer being used as a Malware-as-a-Service.

Sonatype's automated malware detection systems identified a malicious PyPI package called crytic-compilers, connected to Russia-linked Lumma Windows stealer, and named very closely after a well-known legitimate Python library that is used by cryptocurrency developers.

Beware of YouTube videos offering cracked software! They might be a gateway to the Lumma malware, stealing your sensitive information

The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox.