tl;dr
Law enforcement agencies, including the U.S. Department of Justice, Europol, and Japan's Cybercrime Control Center, have seized key infrastructure linked to LummaC2 malware, which targeted millions worldwide by stealing crypto wallet seed phrases and login credentials. Microsoft identified over 394,...
Law enforcement agencies executed a coordinated international operation to seize critical infrastructure of the LummaC2 malware, disrupting its global campaign that targeted millions of victims worldwide. This malware specifically aimed to steal sensitive crypto wallet seed phrases and login credentials, facilitating widespread financial theft.
Operating since around 2022, Lumma is controlled by a Russian developer known as "Shamel," who markets the malware openly through Telegram and Russian-language forums. The malware is offered in customizable tiers, enabling buyers to tailor attacks and efficiently distribute stolen data. Lumma has been implicated in various high-profile cyberattacks including impersonation scams, ransomware collaborations, and assaults on sectors such as banking, education, gaming, healthcare, and logistics.
Between March and May 2025, Microsoft identified over 394,000 global infections of Lumma on Windows systems, and its Digital Crimes Unit successfully disabled more than 2,300 supporting domains. Despite an overall decline in malware use—with a notable shift toward stealthier, malware-free attack methods like phishing and social engineering—Malware-as-a-Service platforms like Lumma remain in high demand. The FBI reported 1.7 million theft attempts involving Lumma, underscoring its persistent threat.
The U.S. Department of Justice, Europol, Japan's Cybercrime Control Center, Microsoft, and private cybersecurity partners spearheaded the takedown. After initial seizures of Lumma-related domains, the operators attempted to establish new infrastructure rapidly, but these were seized in turn, demonstrating the resilience and responsiveness of law enforcement efforts.
As malware trends evolve, attackers increasingly prefer stealth methods that evade traditional detection, yet sophisticated toolkits such as Lumma empower less experienced cybercriminals to conduct significant operations. The recent crackdown highlights both the ongoing challenges and successes in combating cybercrime targeting digital assets, especially in the cryptocurrency space.
Microsoft continues to monitor Lumma variants closely, issuing warnings about their continued presence and potential threat. This case serves as a critical example of international cooperation to dismantle cybercriminal infrastructure and protect victims from financial exploitation in an increasingly digital world.