A worldwide crackdown coordinated by Microsoft, the FBI, Europol and several leading cybersecurity organizations has brought down the Lumma Infostealer malware distribution network, a malware that is quietly stealing data from hundreds of thousands of computers around the world.
Thiết kế chưa có tên.png

Lumma, also known as LummaC2, is a “malware-as-a-service” type of malicious code, built as a rental service. The attacker does not need deep technical knowledge, only spending between $ 250 and $ 1,000 can use the Lumma to collect passwords, credit cards, browser cookies, access history and even cryptocurrency wallets. This malware is spread through various sophisticated forms such as fake email, malicious advertising, crack software, or CAPTCHA fake websites. In many cases, the user is completely unaware that their device has been compromised.

The Lumma cyberattack campaign ramped up from mid-March to mid May 2025. During this time, more than 394,000 Windows devices were infected, spread across more than 40 countries. Damage was estimated at tens of millions of US dollars, especially from the theft and sale of credit card data on online black markets. A large part of this data has been leaked through platforms such as Telegram, where cybercriminals exchange information quickly and poorly.

More than 2,300 malicious domain names have been controlled, severing the remote – control (C2) communication chain between hackers and victim devices, according to information from authorities.

Experts warn that, although the destruction campaign has produced significant results, the threat from the Lumma has not completely disappeared. Many of the server infrastructure in Russia, believed to be the main coordination center, is still operational. The teams behind Lumma have even begun rebuilding the new system to continue running the service. According to reports from cybersecurity firms, Lumma remains one of the most popular tools used by cybercriminals, including the Scatter Spider group, a notorious group of hackers who have launched attacks on major businesses in the US and Europe.

Authorities may regain control of the domain name and shut down the control system, but the malicious code itself may remain on the user’s device if not thoroughly resolved. This means that the risk of information being stolen is still present, especially for those using personal computers or systems that are not fully protected.

In order to avoid the risk of infection, cybersecurity experts issued a warning:

  • Users should regularly update their operating systems and browser software to fix security vulnerabilities.
  • It’s also important to be careful when opening unfamiliar emails, don’t download software from an unknown source, and avoid clicking on suspicious links.
  • Using security software that integrates features such as detecting suspicious behavior, real-time blocking of malicious code, and clipboard monitoring are both good solutions for individuals and businesses.
  • Enabling two – layer authentication (2FA) for key accounts such as email, banking, social media, and cryptocurrency wallets will strengthen the layer of protection when login information is leaked.
  • Finally, businesses should organize internal training to raise employees’ security awareness, because in many cases, human error remains the fatal flaw that malicious code like Lumma exploits to infiltrate the system.
WhiteHat, Cyber Press