Lumma Malware Affected 394,000 Windows Computers Globally, Says Microsoft
Microsoft, with law enforcement worldwide, has dismantled the Lumma malware operation, which infected nearly 400,000 Windows systems and stole sensitive data.
Summary
- Microsoft took down Lumma malware with help from global law enforcement and tech firms.
- Lumma infected over 394,000 Windows computers between March and May 2025.
- Used to steal passwords, financial data, and cryptocurrency wallets via phishing attacks.
What Is Lumma Malware?
Lumma is a Malware-as-a-Service (MaaS) tool that has become a favorite among cybercriminals since 2022. Developed and distributed through underground forums, it specializes in stealing sensitive data such as login credentials, credit card numbers, bank account info, and crypto wallets. Microsoft calls Lumma “the go-to tool for cybercriminals” because of its stealth, ease of deployment, and ability to bypass security protocols.
How Microsoft Dismantled Lumma?
Microsoft’s Digital Crimes Unit (DCU) filed a legal action against Lumma on May 13, 2025. With a court order from the U.S. District Court for the Northern District of Georgia, Microsoft and its partners took down over 2,300 domains that supported the malware’s infrastructure. The U.S. Department of Justice also seized Lumma’s command-and-control servers and disrupted the online markets selling the tool.
Global and Industry Collaboration
The takedown was a global effort involving agencies like Europol, Japan’s Cybercrime Control Center, and companies such as Cloudflare, Bitsight, Lumen, and ESET. Microsoft said 1,300+ domains were redirected to its “sinkholes,” cutting off Lumma’s communication with infected systems. These efforts disrupted cybercrime operations and blocked revenue streams for threat actors.
Where and How Lumma Was Used?
Microsoft identified more than 394,000 infected devices globally between March 16 and May 16, 2025. In one case, a phishing campaign posed as Booking.com to trick users into clicking malware-infected links. Lumma has also targeted online gaming communities, education networks, and critical industries like finance, healthcare, manufacturing, and logistics.
The Developer Behind Lumma
Lumma’s creator goes by the alias “Shamel” and operates out of Russia. He marketed the malware with multiple pricing tiers — from $250 to $20,000 — offering various features like traffic analysis, log management, and even the malware’s full source code. Shamel ran his operation with a professional brand image, calling Lumma a symbol of “peace, lightness, and tranquility.”
Microsoft’s Long-Term Cybersecurity Vision
According to Microsoft, disrupting major tools like Lumma can deliver lasting impacts by delaying new attack launches and increasing operational costs for hackers. The DCU aims to work closely with partners across the public and private sectors to track, investigate, and stop future threats using insights gathered from these takedowns.
Pros
- Major malware infrastructure dismantled
- Global coordination led to quick, decisive action
- 394,000+ users protected from further data theft
Cons
- Threat actors like Shamel still operate from safe havens
- Malware variants can quickly resurface under new names
- Ongoing phishing and malvertising attacks remain active risks
Conclusion
The takedown of Lumma malware marks a major win for Microsoft and cybersecurity at large. While the threat from similar tools remains, this operation significantly disrupts global cybercriminal infrastructure. Ongoing efforts between governments and tech firms are essential to keep these malicious actors at bay.
FAQs
Q: What is Lumma malware?
A: Lumma is a malware-as-a-service that steals sensitive information such as passwords, credit card details, and crypto wallets.
Q: How many devices were affected?
A: Over 394,000 Windows computers were infected globally between March and May 2025.
Q: Who helped take it down?
A: Microsoft, DOJ, Europol, JC3, and cybersecurity firms like Cloudflare, ESET, Bitsight, and Lumen collaborated on the operation.
