A coordinated operation by Europol, the FBI, Microsoft, and other public and private sector partners targeted the Lumma infostealer, a prolific malware distributed via a malware-as-a-service (MaaS) model.
Known for stealing credentials and being a tool of choice for notorious cybercriminal groups like Scattered Spider, Angry Likho, and CoralRaider, Lumma’s infrastructure faced significant disruption.
Starting on May 15, law enforcement agencies seized approximately 2,500 domains associated with Lumma, crippling access to its command and control (C2) servers and management dashboards.
.png
)
Global Operation Targets Lumma Infrastructure
Dark web forums buzzed with customer complaints about inaccessible services, highlighting the immediate impact.
However, the operation could not fully dismantle Lumma’s Russia-hosted infrastructure, leaving a critical segment of its operations intact.
Lumma’s developer later revealed that while the main server protected by its geographic location was infiltrated via an undisclosed vulnerability in the Integrated Dell Remote Access Controller (iDRAC).
Law enforcement wiped the server and backups, planted a phishing login page to harvest user credentials, and inserted a JavaScript snippet to access webcams, amplifying psychological pressure on the malware’s ecosystem.
Despite the takedown, Lumma’s developers have shown remarkable resilience, swiftly working to restore operations.
By May 23, the developer publicly acknowledged the seizure but claimed no arrests were made and asserted that services were back to normal, as evidenced by Telegram conversations shared on cybercrime forums.
Technical analysis by Check Point, confirms that many Russia-registered C2 servers remain operational, underscoring the partial success of the takedown.
Resilience Amid Reputational Damage
Furthermore, stolen data from Lumma-infected systems continues to surface on illicit markets, with a Telegram bot offering 95 logs from 41 countries just two days post-operation, increasing to 406 logs by May 29.
Centralized Russian marketplaces also display fresh Lumma logs, indicating persistent activity.
While the technical damage is significant, the reputational blow to Lumma may pose a greater long-term challenge.
Law enforcement’s psychological tactics, such as posting messages on Lumma’s Telegram channel alleging cooperation from admins and affiliates, mirror strategies used in operations like Cronos against LockBit ransomware.
Though threat actors have questioned the efficacy of the webcam-accessing JavaScript snippet, dismissing it as rudimentary, the seeds of distrust sown among Lumma’s user base could hinder its recovery.
The mixed opinions on dark web forums reflect uncertainty about Lumma’s future, with some predicting a shift to private, word-of-mouth operations, while others believe the impact will be transient.
Check Point Research notes that while Lumma’s developers are aggressively reinstating their infrastructure, the malware’s brand and trust among affiliates may not recover as easily.
The operation’s focus on psychological disruption, combined with the persistent availability of stolen data, suggests that Lumma remains a potent threat, albeit under intense scrutiny.
As law enforcement continues to battle such cybercrime, the interplay between technical takedowns and reputational damage will likely determine Lumma’s trajectory in the evolving threat landscape.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
