Microsoft announced on Wednesday the successful dismantling of the Lumma Stealer malware project, a significant achievement made possible through collaboration with law enforcement agencies worldwide. In a detailed blog post, the tech giant revealed that its digital crimes unit identified over 394,000 Windows computers infected by the Lumma malware during a critical period from March 16 to May 16.
The Lumma malware has gained notoriety as a preferred hacking tool among cybercriminals, enabling them to pilfer sensitive information such as passwords, credit card details, bank account credentials, and cryptocurrency wallets. Microsoft’s digital crimes unit, leveraging a court order from the U.S. District Court for the Northern District of Georgia, effectively dismantled the web domains that formed the backbone of Lumma’s infrastructure.
In a coordinated effort, the U.S. Department of Justice took control of Lumma’s central command structure, effectively disrupting the online marketplaces where this malware was traded. The cybercrime control center in Japan played a crucial role by facilitating the suspension of Lumma’s local infrastructure, further crippling its operational capabilities.
Collaboration and Impact
“Working with law enforcement and industry partners, we have severed communications between the malicious tool and its victims,” Microsoft stated in the blog. The company also noted that over 1,300 domains, seized or transferred to Microsoft—including 300 domains acted upon by law enforcement with support from Europol—will be redirected to Microsoft sinkholes, effectively neutralizing their threat.
Notably, other technology firms such as Cloudflare, Bitsight, and Lumen contributed to the dismantling of the Lumma malware ecosystem, showcasing a united front against cybercrime.
Since at least 2022, hackers have been acquiring the Lumma malware through underground online forums, with developers continuously enhancing its capabilities. This malware has emerged as a favored tool for cybercriminals due to its ease of distribution and ability to bypass certain security measures with adept programming.
Microsoft highlighted a particularly alarming instance involving a phishing campaign in March 2025, where cybercriminals masqueraded as representatives of the Booking.com online travel service. Utilizing the Lumma malware, these actors executed financial crimes under the guise of legitimate business operations.
Furthermore, the malware has been implicated in attacks on online gaming communities and educational institutions. Other cybersecurity firms have reported its use in cyberattacks targeting critical infrastructure sectors, including manufacturing, logistics, and healthcare, underscoring the pervasive threat posed by Lumma and similar malware.
