In a significant coordinated cyber operation, Microsoft, in collaboration with the FBI and Europol, successfully dismantled a vast network of domains associated with the Lumma malware. On May 13, 2025, law enforcement authorities took down 2,300 domains linked to the distribution of this malicious software.
According to cybersecurity experts, Lumma malware had compromised more than 394,000 Windows and macOS devices globally between March 16 and May 10, 2025. Once installed, the malware was capable of harvesting sensitive data from major web browsers, including Google Chrome, Microsoft Edge, and Mozilla Firefox. The stolen information reportedly included credit card numbers, banking credentials, login passwords, and even cryptocurrency wallet data, posing serious privacy and financial threats to individuals and organizations alike.
Following the takedown, all seized domains were redirected to a central data repository for forensic examination. Investigators are now analyzing the harvested data to better understand the extent and scope of the breach, as well as to identify potential victims and perpetrators.
The investigation further revealed that Lumma was distributed under a “malware-as-a-service” (MaaS) model—a business model where malicious software is rented out to cybercriminals for a fee. This made the malware widely accessible, with packages priced between $250 and $1,000, depending on the features purchased. The affordability and availability of Lumma made it particularly attractive to low-to-mid-level threat actors aiming to scale up their malicious operations.
Authorities also succeeded in seizing Lumma’s central command-and-control infrastructure, which was primarily hosted in Europe and Japan. The U.S. Department of Justice led the legal charge, securing warrants to confiscate servers and digital assets tied to the malware’s operations.
Cloudflare, a prominent provider of web infrastructure and security services, was instructed to investigate how its platforms may have been exploited by Lumma operators. It’s suspected that Cloudflare’s services were used to obfuscate the origin of malicious traffic, helping criminals hide their real IP addresses and remain undetected while siphoning data.
The operation was supported by a coalition of private-sector and legal partners, including ESET, CleanDNS, Bitsight, Lumen, and Orrick, Herrington & Sutcliffe LLP, a cybersecurity-focused law firm. Their combined efforts were instrumental in identifying, tracking, and neutralizing the infrastructure behind Lumma malware—also referred to in some threat reports as Lumma C or Lumma C2.
This operation comes after months of Microsoft issuing public warnings about increasing malware deployments targeting both public and private sector networks in the United States. The tech giant also recently released a report alleging that Chinese state-sponsored groups have been exploiting vulnerabilities in telecom infrastructure to conduct espionage, reportedly infiltrating over a dozen telecom networks since 2021.
This takedown serves as a major victory in the ongoing global fight against cybercrime and a reminder of the growing need for international cooperation in tackling digital threats.
Join our LinkedIn group Information Security Community!
