Microsoft Disrupts Lumma Malware, Protects 394,000 Windows Users

Word on the StreetWednesday, May 21, 2025 3:04 pm ET
1min read

Microsoft has announced that over 394,000 Windows computers globally were infected with the Lumma malware between March 16 and May 16. The tech giant's Digital Crimes Unit identified the extensive infection, which was utilized by hackers to steal sensitive information such as passwords, credit card details, bank account information, and cryptocurrency wallets.

In a blog post, Microsoft detailed how the Lumma malware operates as a common hacking tool used by cybercriminals to carry out various malicious activities. The company's efforts to dismantle the Lumma Stealer project were supported by global law enforcement agencies, which played a crucial role in the operation. Microsoft's Digital Crimes Unit, with the assistance of a court order from the U.S. District Court for the Northern District of Georgia, successfully dismantled the network domains supporting the Lumma infrastructure. Subsequently, the U.S. Department of Justice took control of Lumma's "central command system" and shut down the online market where malicious actors purchased the malware.

The blog post also mentioned that the Japanese National Police Agency assisted in suspending Lumma infrastructure located within Japan. Microsoft highlighted the collaborative efforts with law enforcement and industry partners, stating that over 1,300 domains, including 300 handled by law enforcement with the support of Europol, were seized or taken over and redirected to Microsoft's "Sinkhole" server. This action effectively cut off communication between the malicious tool and its victims.

Other technology companies, including Cloudflare, Bitsight, and Lumen, also contributed to the disruption of the Lumma malware ecosystem. The blog post noted that hackers had been purchasing Lumma malware through underground online forums since at least 2022, with developers continuously enhancing its capabilities. The malware's ease of propagation and ability to bypass certain security defenses made it a preferred tool among cybercriminals and online threat actors.

Microsoft provided an example of how criminals used Lumma in a phishing attack in March 2025, where victims were deceived into believing they were interacting with Booking.com employees. The company stated that these cybercriminals used Lumma to commit financial crimes. Additionally, hackers exploited Lumma to target online gaming communities and educational systems. Other cybersecurity firms reported that the malware had been used in attacks against critical infrastructure sectors such as manufacturing, logistics, and healthcare.

This incident underscores the persistent threat posed by malicious software and the necessity for continuous vigilance and robust cybersecurity measures. The successful disruption of the Lumma Stealer project demonstrates the importance of international cooperation and collaboration between technology companies and law enforcement agencies in combating cyber threats.