Key Findings:

• The takedown achieved a significant disruption to Lumma infostealers’ infrastructure, but likely didn’t permanently affect most of its Russia-hosted infrastructure.
  • Lumma’s developers are undertaking significant efforts to reinstate the activity and to conduct business as usual.
  • There seems to be a significant reputational damage to the Lumma infostealer, and the key factor for the infostealer to resume regular activity will be the reputational factors (rather than the technological).

On May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners, announced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of the most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by common cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several prominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider.
The Takedown on the Dark Web

According to the reports, the takedown operation began on May 15. On that day, Lumma customers flooded dark web forums that advertise the stealer, complaining they were unable to access the malware’s command and control (C2) servers and management dashboards.