7 December 2025
Recent law enforcement actions have taken a heavy toll on the key infrastructure of LummaC2, a malicious software operation that targeted millions of victims worldwide, with most of the victims being crypto wallet seed phrases were not secure. The U.S. Department of Justice announcement makes clear that a coordinated, international effort involving Europol, Japan’s Cybercrime Control Center, and Microsoft led to these significant seizures.
It all started on May 19, when the DOJ seized two websites. Lumma’s administrators quickly attempted to set up new domains, but they were seized the next day. Microsoft recorded over 394.000 infections on Windows systems worldwide between March and May 2025, and through a lawsuit, its Digital Crimes Unit has shut down over 2.300 domains that were supporting Lumma infrastructure.
“Malware like LummaC2 is designed to steal sensitive information, such as login credentials, from millions of victims, facilitating a range of crimes, including fraudulent bank transfers and theft of cryptocurrency,” said Matthew R. Galeotti, chief of the DOJ’s Criminal Division.
It seems like malware is losing its shine. 2025 Global Threat Report from CrowdStrike shows that attackers are increasingly focusing on malware-free attacks. Over the past five years, they have shifted their strategies to methods such as phishing, social engineering, and trust abuse. By 2022, the share of malware-free attacks will have increased to 79%, up from 2019% in 40.
That said, there’s still a market for malware-as-a-service tools like Lumma. The FBI has identified Lumma in over 1,7 million attempted thefts. Crypto wallets remain particularly vulnerable; earlier this month, researchers pointed to rogue AI bots spreading malware , and the recently identified Inferno Drainer has stolen over $9 million worth of crypto from wallets in the past six months.
Launched around 2022, Lumma has evolved through multiple versions under the tutelage of a Russian developer known online as “Shamel.” This hacker presents Lumma via Telegram and Russian forums, where he offers tiered service packages, allowing buyers to customize their attacks and track stolen information.
One of the most notable campaigns involved fake emails posing as Booking.com, which attempted to steal login credentials and bank accounts. Lumma has also made its mark in the education sector, gaming communities, and critical infrastructures including healthcare and logistics. Due to its stealth and flexibility, Lumma is a popular tool among high-level ransomware groups such as Octo Tempest.
Microsoft is closely monitoring emerging variants of Lumma, and warns that the malware remains a persistent threat despite the breakdown of its core infrastructure.
“Keep your crypto safe, because the digital world remains a playing field for both forward-thinking innovations and unforeseen dangers!”
What exactly is LummaC2?
LummaC2 is a malware operation designed to steal sensitive information such as login credentials and crypto wallet seed phrases from victims worldwide.
How does law enforcement respond to these threats?
International cooperation has resulted in significant seizures of infrastructure used by LummaC2, involving the DOJ and Europol, among others.
What are the latest trends in cybercrime?
Cybercriminals are increasingly shifting to malware-free attacks, using techniques such as phishing and social manipulation to dupe victims.
Bitcoin (BTC)
Ethereum (ETH)
XRP (XRP)
