Listen to this Post
Cybersecurity Giants and Global Authorities Join Forces to Dismantle Lumma Malware-as-a-Service Network
In a sweeping global crackdown, Microsoft, in collaboration with tech companies and law enforcement agencies, has struck a major blow to the notorious Lumma malware-as-a-service (MaaS) operation. With coordinated actions carried out across multiple countries, more than 2,300 malicious domains have been seized, effectively crippling a large portion of Lumma’s infrastructure. The effort not only dismantled the backbone of this cybercriminal ecosystem but also dealt a severe financial and operational blow to the threat actors behind it.
Lumma, also known as LummaC2, is a potent info-stealing malware rented on underground forums for up to \$1,000 per subscription. It is designed to harvest sensitive data from infected systems, including login credentials, credit card details, and crypto wallet information. Its popularity among cybercriminals soared in the past year due to its advanced capabilities and distribution via deceptive methods like deepfake websites and malvertising.
The offensive against Lumma marks a significant milestone in the global fight against cybercrime, showcasing what’s possible when private cybersecurity firms and government agencies work together to target and eliminate digital threats at scale.
Global Cyber Crackdown on Lumma Malware: What Happened
In May 2025, a powerful joint action dismantled a large part of the Lumma malware-as-a-service infrastructure. This cybercriminal service, infamous for stealing sensitive information from both individuals and businesses, faced a decisive disruption led by Microsoft, Cloudflare, and various global partners.
The action began with Microsoft seizing 2,300 domains linked to Lumma after legal measures were enacted. Simultaneously, the U.S. Department of Justice took control of Lumma’s primary control panel and illicit marketplaces where the malware was rented out. Europol’s EC3 and Japan’s JC3 played crucial roles in shutting down the infrastructure hosted in Europe and Japan.
Microsoft revealed that from March to May 2025, over 394,000 Windows devices were infected globally. Through coordinated efforts, communication between infected devices and the malware’s control systems was severed. Cloudflare, one of the tech firms involved, disclosed how Lumma had used its services to mask server IPs and bypass security layers. Despite multiple suspensions, the malware adapted and managed to bypass Cloudflare’s interstitial warnings. In response, Cloudflare enhanced its security with the Turnstile service to block future bypass attempts.
The malware’s core functions include harvesting data from Chromium-based browsers like Chrome, Edge, and Firefox. It scrapes credentials, cookies, browsing histories, and financial data, packaging it into encrypted archives for transmission to criminal-controlled servers. Once received, the data is either sold on dark web marketplaces or used for targeted attacks.
First identified in December 2022, Lumma quickly gained traction among threat actors, with 2025 seeing a dramatic increase in infostealer activity. IBM X-Force reports a 12% rise in stolen credentials sold online and an 84% surge in infostealer use via phishing. The malware played a role in recent breaches at major corporations like HotTopic, PowerSchool, and Snowflake.
Furthermore, stolen credentials have enabled disruptive network manipulations, including the hijacking of Orange Spain’s internet infrastructure via corrupted routing configurations.
Lumma’s takedown reflects a strategic pivot in cyber defense: target the infrastructure, not just the malware.
What Undercode Say:
The recent takedown of Lumma marks a watershed moment in the battle against malware-as-a-service operations. Unlike traditional cybersecurity efforts that mostly focus on blocking malware post-infection, this operation struck at the heart of Lumma’s ecosystem — its infrastructure, command centers, and criminal marketplaces.
Lumma’s design as a rentable service allowed even low-level cybercriminals to execute high-level attacks. By offering subscriptions ranging from \$250 to \$1,000, Lumma democratized cybercrime. That affordability, paired with ease of deployment and evasion tactics, made it a favored tool among hacker groups like Scattered Spider.
The malware’s ability to harvest high-value data from major browsers and systems meant that it wasn’t just an annoyance — it was a critical threat to enterprise security. Once credentials were exfiltrated, they could be weaponized for data breaches, account takeovers, and even geopolitical disruptions, as seen in the Orange Spain incident.
The collaborative nature of this takedown operation is what makes it truly remarkable. It involved not just Microsoft and law enforcement, but also Cloudflare, Lumen, ESET, and legal experts from Orrick. This unified response underlines a new blueprint for dismantling digital crime: cut the digital lifelines, neutralize the command infrastructure, and eliminate hosting and domain resources.
From a cybersecurity strategy standpoint, the move also showcases a growing emphasis on preemptive strikes. Rather than waiting for malware to spread and then reacting, these organizations used forensic data and threat intelligence to map and isolate Lumma’s core architecture before it could evolve further.
Technologically, Cloudflare’s adjustments, like integrating Turnstile into its defenses, reflect how threat intelligence can lead to real-time product innovation. It’s a constant chess game, where each move by cybercriminals triggers a stronger counter-move from defenders.
But the battle is far from over. The infrastructure can be rebuilt, domains can be re-registered, and new variants of Lumma can emerge. However, every disruption increases the cost and effort required for cybercriminals to continue operations, slowly tilting the advantage back toward defenders.
Lumma’s fall is both a victory and a warning: we must stay vigilant, keep innovating, and always collaborate at global scale to suppress threats of this magnitude.
Fact Checker Results ✅
🔍 Lumma was a real and highly active malware-as-a-service operation.
📉 Over 2,300 domains were indeed seized as part of this action in May 2025.
🔐 Microsoft and global cyber agencies confirmed successful disruption of its infrastructure.
Prediction
While the takedown of Lumma is a significant win for the cybersecurity community, it’s unlikely to be the end of the story. Threat actors will likely attempt to rebuild or rebrand the malware on new infrastructure. However, with increased cooperation between tech companies and global law enforcement, future MaaS operations like Lumma will face more rapid and decisive shutdowns. We can expect more frequent preemptive strikes and deeper integration of AI-driven threat intelligence in identifying and disabling malicious operations at the infrastructure level.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
