Lumma Stealer Malware is at the center of a global cybercrime crackdown after Microsoft announced an aggressive legal and technical campaign to dismantle the notorious data-harvesting operation.
In a significant move, a federal court in Georgia authorized Microsoft’s Digital Crimes Unit to seize or block nearly 2,300 websites linked to the malware’s infrastructure—an unprecedented strike against the malware economy targeting crypto holders and enterprises alike.
“This action is part of our broader effort to disrupt the cybercriminal economy,” said Amy Hogan-Burney, General Manager of Microsoft’s Digital Crimes Unit, in the company’s May 21 blog post.
“Lumma Stealer Malware has been weaponized to steal everything from passwords to crypto wallets. We are shutting it down at the source.”
Lumma Stealer Malware targets crypto wallets, bank credentials
Launched in 2022 and constantly evolving, Lumma Stealer Malware has carved a menacing niche in the cybercrime underworld. It is typically distributed via underground forums and phishing campaigns, enabling criminals to harvest sensitive data such as credit card numbers, login credentials, and digital asset information, including from wallets like MetaMask and Trust Wallet.
According to Microsoft, more than 394,000 Windows devices were infected with Lumma Stealer Malware between March 16 and May 16. This widespread infiltration prompted urgent action in collaboration with the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center.
Microsoft’s enforcement campaign focused on dismantling the command-and-control (C2) infrastructure that enables Lumma Stealer Malware to siphon data from infected machines. Working alongside international law enforcement and private cybersecurity firms, Microsoft helped sever communications between attackers and victims.
“We’re talking about a truly global malware operation,” said Jean-Ian Boutin, Head of Threat Research at ESET. “Lumma’s infrastructure spanned continents, and disrupting that is no small feat.”
The Lumma Stealer Malware crackdown comes amid a broader surge in malware-as-a-service (MaaS) offerings, particularly targeting the crypto space. These tools—sometimes marketed openly on the dark web—allow even low-level cybercriminals to launch sophisticated theft campaigns for as little as $100.
According to AMLBot, crypto drainers like Lumma are now offered as Software-as-a-Service (SaaS) tools. These kits are sold with ready-made templates, fake airdrop pages, browser extension scripts, and even customer support. Some groups allegedly operate with such confidence that they advertise at industry events.
Crypto losses mount as Lumma leads the charge
In 2024 alone, Scam Sniffer reported that $494 million in crypto assets were stolen using drainer tools, representing a 67% year-over-year increase. Cybercriminals are increasingly turning to Lumma Stealer Malware and similar platforms to exploit digital wallets, bypass 2FA, and inject malicious browser extensions.
Meanwhile, Chainalysis estimated that over $51 billion in crypto theft occurred in 2024, driven by a toxic mix of malware, phishing, and AI-assisted fraud. The FBI noted that $9.3 billion in crypto scam losses were reported in the U.S. last year, with older adults being disproportionately affected.
While Telegram once served as a safe haven for malware distribution due to its privacy policies, many actors behind Lumma Stealer Malware have returned to Tor as concerns rise over increased platform surveillance.
According to Kaspersky, darknet forums dedicated to crypto drainer tools have ballooned from 55 in 2022 to 129 in 2024—a clear signal that the underground market is expanding, not shrinking.
The takedown of Lumma Stealer Malware isn’t just a victory for Microsoft—it’s a wake-up call for crypto users, financial institutions, and regulators worldwide. As malware groups grow more sophisticated and decentralized, collaborative global action is becoming the only viable defense.
“This is a landmark move,” said John Fokker, Head of Threat Intelligence at Trellix. “It proves that when law enforcement, tech companies, and cybersecurity experts work together, even the most elusive malware operations can be exposed.” The Bit Gazette will continue to observe the market and report as events unfold.
