International Collaboration Removes Lumma Stealer, with Microsoft Taking the Helm
Lumma Stealer, an advanced infostealing malware, has become one of the most active and notorious threats in the cybercrime world, specialising in stealing sensitive data such as passwords, credit card information, bank account details, and cryptocurrency wallets [2][3].
**Resilience and Global Impact**
First emerging in late 2022, Lumma Stealer has proven to be a resilient threat, remaining highly active through 2025. Despite numerous takedown efforts, parts of its infrastructure remained operational as recently as June 2025 [1]. In May 2025, Europol led a major international operation to dismantle Lumma Stealer’s infrastructure in partnership with multiple cybersecurity and law enforcement entities, underscoring its significance in the global cybercrime ecosystem [2].
**Distribution and Evasion Tactics**
Lumma Stealer employs stealthy distribution techniques, using public platforms such as GitHub and Discord’s content delivery network to distribute its payloads, making it difficult to detect [2]. Collaborative operations involving Trend Micro and INTERPOL, such as Operation Secure, have contributed to disrupting Lumma Stealer campaigns and bolstering global cyber defense strategies [2].
**Notable Attacks**
One of the most notable attacks linked with Lumma Stealer was the data breach at Schneider Electric, resulting in the theft of 40GB of data and subsequent blackmail attempts connected to the Lumma infection [5]. While the provided data does not explicitly detail Lumma Stealer's involvement in attacks on Booking.com and Scattered Spider, its widespread use and the robust international law enforcement response suggest its role in facilitating major breaches globally.
**Associations and Usage**
Lumma Stealer has been linked to the cybercrime gang Scattered Spider, highlighting its wide reach and influence in the cybercrime landscape [6]. Threat actors find infostealers like Lumma attractive because they can target less secure personal devices with corporate credentials and tokens saved [7]. Lumma is often used by cybercriminals as a tool to gain initial access to accounts or sensitive information for further cybercrimes like ransomware and fraud [8].
**Disruption Efforts**
Microsoft, with a court order from the U.S. District Court for the Northern District of Georgia, seized 2,300 domains that supported Lumma's infrastructure. The U.S. Department of Justice also seized Lumma's central command structure and disrupted online marketplaces selling Lumma [8].
In conclusion, Lumma Stealer has significantly impacted the global cybercrime landscape by enabling credential theft and data exfiltration at scale. Its sophisticated distribution techniques and resilience have made it a high-priority target for international disruption efforts, with ongoing impact on critical organisations worldwide. However, publicly available information does not provide direct evidence of Lumma Stealer’s involvement in the Booking.com or Scattered Spider attacks specifically [1][2][3][5].
- Despite numerous efforts by cybersecurity agencies and technology companies to dismantle its infrastructure, Lumma Stealer, a malware known for stealing sensitive data, has remained one of the most active and notorious threats in the cybercrime world, fitting the category of general-news and crime-and-justice.
- The resilient nature of Lumma Stealer, which continues to operate even after takedown attempts, highlights its significance in the global cybercrime ecosystem, as it presents a serious threat to individuals and organizations alike.
- The use of Lumma Stealer by cybercriminals often serves as a stepping stone for further cyberattacks such as ransomware or fraud, emphasizing the importance of strong cybersecurity measures to protect against such threats.
