Global Cyber Crackdown: Microsoft Secures Court Order, Seizes 2,300 Domains to Shut Down Lumma Stealer Targeting Nearly 400,000 Windows Devices

Microsoft Disrupts Lumma Stealer Malware with Global Legal and Technical Efforts

Microsoft has taken significant legal and technical steps to dismantle Lumma Stealer, a malware operation that has been stealing sensitive information on a massive scale, including from cryptocurrency wallets.

The company’s Digital Crimes Unit (DCU) revealed in a blog post on 22 May that it worked with global law enforcement agencies to seize or block nearly 2,300 domains connected to Lumma’s infrastructure, severely crippling its operation.

What Actions Were Taken Against Lumma Stealer

With the backing of a federal court in Georgia, Microsoft and its partners including the U.S. Department of Justice, Europol’s European Cybercrime Center, and Japan’s Cybercrime Control Center, managed to disrupt the command-and-control servers used by the malware developers.

The DOJ took control of Lumma’s central command panel and shut down the online marketplaces where cybercriminals bought the malware.

Microsoft also redirected over 1,300 seized domains to sinkholes to gather intelligence and prevent further infections.

The takedown was not a solo effort.

Other technology companies such as Cloudflare, Bitsight, Lumen, and ESET joined the operation to help take apart the Lumma ecosystem.

According to Microsoft, the coordinated move has severed communication channels between the malware and infected machines worldwide.

How Widespread Was the Lumma Infection

Between mid-March and mid-May this year, Microsoft identified more than 394,000 Windows devices infected by Lumma Stealer globally.

The malware was actively used by hackers to steal passwords, bank details, credit card information, and cryptocurrency wallet credentials.

Microsoft’s blog described Lumma as “the go-to tool for cybercriminals and online threat actors” due to its ease of distribution and ability to bypass security defences.

How Has Lumma Been Used by Cybercriminals

The malware’s developers have been refining Lumma since its launch in 2022, marketing it through underground forums.

Lumma offers various service tiers.

Microsoft highlighted a recent phishing campaign in March 2025 where attackers impersonated the Booking.com travel site to trick victims into handing over their data.

Lumma has also targeted gaming communities and educational institutions, with cybersecurity firms reporting attacks against manufacturing, logistics, healthcare, and other critical sectors.

Illustration of the attack path from ClickFix to Lumma Stealer

Why Is This Malware Hard to Fight

Experts point out that Lumma’s adaptability makes it a persistent threat.

Ensar Seker, CISO at SOCRadar, called the disruption a “pivotal moment” but warned that continuous collaboration between public and private sectors remains essential.

He noted,

“Lumma’s ability to adapt employing phishing, malvertising, and exploiting trusted platforms highlights the evolving tactics of threat actors.”

Bruce Jenkins, CISO at Black Duck, added that it’s premature to assume Lumma is gone for good.

He urged security teams to stay alert and improve user awareness to defend against phishing, recommending “a robust endpoint detection and response (EDR) solution and a comprehensive business resiliency plan, including regular data backups and tested restoration procedures.”

The State Of Cybercrime Today

Lumma is part of a growing trend where malware is sold as a service, making powerful cybercrime tools accessible to less experienced criminals.

These “infostealers” are foundational to many modern attacks, supplying stolen credentials that fuel further breaches.

This trend aligns with data showing a sharp rise in hybrid cloud breaches and attacks targeting large language model deployments.

The rise in crypto-focused malware is especially alarming.

Earlier in May, printer maker Procolored was found distributing malware that drained Bitcoin wallets, resulting in nearly $1 million stolen.

According to Chainalysis, crypto theft hit $51 billion in 2024, driven by fraud rings, state-backed hackers, and scams aided by artificial intelligence.

What Are Crypto Drainers and Why Are They Dangerous

Malicious tools designed to drain cryptocurrency wallets, known as crypto drainers, have become widely available as SaaS (software as a service) on underground markets for as little as $100.

Criminals use these tools in phishing scams, fake airdrops, and browser extensions.

Cybersecurity firms report significant growth in darknet forums offering these drainers, with theft reaching nearly $500 million in 2024 — a 67% increase from the previous year.

Despite some platforms tightening data sharing with authorities, cybercriminals continue to migrate to networks like Tor to evade detection.

This persistent cat-and-mouse game reflects the ongoing challenges of tackling cybercrime on a global scale.