Global Law Enforcement Seizes 2,300 Domains Linked to LummaC2 Malware

Law enforcement agencies have taken significant action against the LummaC2 malware operation, which has targeted millions of victims worldwide by stealing sensitive information, including crypto wallet seed phrases. The coordinated effort involved the U.S. Department of Justice, Europol, Japan's Cybercrime Control Center, Microsoft, and private cybersecurity partners. The seizures were part of a broader initiative to disrupt the malware's infrastructure, which has been linked to over 1.7 million theft attempts and active in 394,000 global infections.

On May 19, the DOJ initially seized two websites associated with LummaC2. In response, the malware administrators attempted to establish three new domains, but these were also seized the following day. Microsoft's Digital Crimes Unit played a crucial role in this operation, seizing and disabling over 2,300 domains that supported Lumma's infrastructure. This action was part of a civil lawsuit filed earlier this month, highlighting the collaborative efforts between law enforcement and tech companies to combat cyber threats.

Matthew R. Galeotti, head of the DOJ's Criminal Division, emphasized the severity of the threat posed by malware like LummaC2. "Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft," he stated. This underscores the importance of such coordinated efforts in mitigating the impact of cybercrime on a global scale.

Despite the decline in the popularity of traditional malware, there remains a significant demand for Malware-as-a-Service tools like Lumma. These tools enable less sophisticated threat actors to access advanced capabilities, making them a potent tool for cybercrime. The FBI has identified Lumma's use in at least 1.7 million theft attempts, highlighting its widespread impact. Crypto wallets, in particular, have been common targets, with recent incidents involving fake AI bots spreading malware and Inferno Drainer stealing millions from wallets.

Lumma, launched around 2022, has evolved through multiple iterations and is controlled by a Russian developer known online as "Shamel." Operating openly via Telegram and Russian-language forums, Shamel markets Lumma in tiered service packages, allowing buyers to customize, distribute, and track stolen data. One notable campaign involved fake emails impersonating Booking.com to steal login credentials and empty bank accounts. The malware has also been linked to attacks on education systems, gaming communities, and critical infrastructure sectors, including healthcare and logistics. Its stealth and flexibility have made it a favored tool among high-profile ransomware groups such as Octo Tempest.

Microsoft continues to monitor emerging variants of Lumma, warning that the malware remains a potent threat even as its core infrastructure is being dismantled. This ongoing vigilance is crucial in the fight against cybercrime, as new variants and tactics are constantly emerging. The coordinated efforts of law enforcement and tech companies are essential in staying ahead of these threats and protecting users from the ever-evolving landscape of cybercrime.