FBI and DOJ Dismantle LummaC2 Malware Network Behind Global Password Thefts.
The U.S. Department of Justice, in coordination with international partners, has shut down LummaC2 – a powerful malware platform used to steal sensitive data from millions of victims worldwide.
For years, LummaC2 operated quietly in the background, enabling cybercriminals to harvest passwords, financial information, and personal details.
That operation has now been effectively dismantled.
A Digital Threat Hiding in Plain Sight
LummaC2, sometimes referred to as Lumma Stealer, wasn’t the work of a lone hacker in a dark basement. It was a fully commercialized service, sold online like a subscription, offering powerful data theft tools for as little as a few hundred dollars a month.
Hackers used it to steal everything from passwords and bank logins to cryptocurrency wallets and authentication codes.
It was often spread through fake emails, phony software updates, and websites designed to mimic well-known brands.
Victims rarely knew they’d been compromised until it was too late.
A Global Effort with Real Consequences
The crackdown was led by Microsoft’s Digital Crimes Unit and the DOJ, in partnership with Europol, Japan’s Cybercrime Control Center, Cloudflare, and Bitsight.
Investigators were granted court approval to seize over 2,300 web domains tied to the malware’s infrastructure. They also disabled five critical command-and-control servers that had kept the malware running.
Authorities also worked to shut down the channels used to promote and distribute the malware, including dozens of Telegram groups and other online accounts used by hackers to communicate and trade stolen data.
Officials involved in the operation were clear about the scale of the threat. Bryan Vorndran, who leads the FBI’s Cyber Division, described LummaC2 as the most widely used infostealer in criminal circles.
“The FBI is committed to disrupting the key services that cyber criminals rely on. That’s why, with our partners, we took action against the most popular infostealer service available in online criminal markets, which is responsible for millions of attacks against victims.”
“Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels. Together, we are making it harder, and more painful, for cyber criminals to operate.”
Matthew Galeotti of the DOJ echoed those concerns, calling LummaC2 “a tool for identity theft, fraud, and cryptocurrency heists on a massive scale.”
Microsoft’s Steven Masada said the takedown was about more than seizing servers. “We’re working to cut off cybercriminals from the very infrastructure they rely on to victimize others.”
During a two-month window earlier this year, nearly 400,000 devices were infected.
The FBI has linked LummaC2 to over 1.7 million instances of stolen personal data. That information often ended up for sale on dark web forums, where it was used to commit fraud, impersonate victims, or drain financial accounts.
Staying Safe in a Post-Lumma World
While LummaC2’s network has been severely disrupted, the risk isn’t over. Experts believe other versions or copycat tools may soon emerge.
Cybercrime moves fast, and takedowns like this one are only part of the solution.
Users are being urged to stay vigilant. Keeping software updated, using two-factor authentication, and avoiding unknown email links are some of the most effective ways to stay protected.
Password managers and breach-monitoring tools can also help users spot unusual activity before it spirals out of control.
How LummaC2 Operated
-
Malware-as-a-Service (MaaS):
LummaC2 operates as a subscription-based malware platform, allowing cybercriminals—regardless of technical skill—to rent it and launch attacks. Prices ranged from $250 to $1,000 per month, depending on the features. -
First Emerged in 2022:
LummaC2 first appeared on Russian-speaking cybercrime forums and quickly gained popularity due to its user-friendly interface, customization options, and low entry cost. -
Information Stealer (Infostealer):
The malware is designed to steal a wide range of personal and financial data, including:-
Login credentials (usernames and passwords)
-
Banking and credit card details
-
Cryptocurrency wallet keys
-
Browser-stored autofill data
-
Multi-factor authentication tokens
-
-
Widespread Infection:
Between March 16 and May 16, 2025, the FBI identified over 394,000 infections tied to LummaC2. In total, the malware is believed to have been used to steal data from over 1.7 million devices worldwide. -
Distributed via Social Engineering:
LummaC2 was commonly spread through phishing emails, malicious pop-ups, fake software downloads, and cracked programs. It often impersonated trusted brands like Microsoft, Booking.com, and others. -
Controlled via User Panel:
One of LummaC2’s unique features was a centralized web-based control panel, allowing attackers to manage infected machines, extract stolen data, and update malware payloads in real time. -
Encrypted Communications:
The malware used encrypted channels to communicate with its command-and-control (C2) infrastructure, making it difficult for antivirus tools and researchers to track. -
Ties to Dark Web Markets:
Stolen data was often sold on dark web forums, where credentials fetched varying prices based on account type—ranging from email logins to cryptocurrency wallets. -
Rapid Updates and Obfuscation:
LummaC2 developers frequently pushed updates to evade detection from security tools, adding code obfuscation and anti-analysis techniques. -
Global Distribution Network:
LummaC2 used thousands of domains to operate, which were seized in the takedown. It also leveraged channels on Telegram and Steam for customer support, marketing, and malware distribution.
More Articles from Lawyer Monthly