Nearly 400,000 Windows PCs worldwide were infected with a sophisticated malware capable of stealing sensitive financial data before Microsoft and global law enforcement agencies successfully dismantled the criminal operation.
Key Takeaways
- Lumma Stealer malware infected 394,000 Windows computers globally between March 16 and May 16, 2025, targeting banking details, passwords, and cryptocurrency wallets.
- Microsoft collaborated with the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center to disrupt the malware’s infrastructure, seizing five internet domains.
- The malware used sophisticated techniques including phishing emails, malvertising, and abuse of legitimate services to evade detection.
- Microsoft obtained a court order from the U.S. District Court of Northern Georgia to take down the operation and is pursuing legal action against the perpetrators.
- Experts recommend strengthening security configurations, requiring multifactor authentication, and using phishing-resistant verification to protect against similar threats.
Massive Cybersecurity Threat Dismantled
Microsoft has revealed the successful takedown of a dangerous malware operation that infected nearly 400,000 Windows computers across the globe. The malicious software, known as Lumma Stealer, operated between March 16 and May 16, 2025, harvesting sensitive data including banking credentials, credit card information, passwords, and cryptocurrency wallet details. This coordinated effort involved Microsoft’s Digital Crimes Unit working alongside international law enforcement agencies to disrupt the cybercriminal infrastructure responsible for distributing the malware.
The FBI’s Dallas Field Office is currently investigating the case while Microsoft pursues legal action against those responsible. Through court proceedings, Microsoft obtained an order from the U.S. District Court of the Northern District of Georgia authorizing the takedown of the malware’s command and control infrastructure. This decisive action prevented further exploitation of victims’ personal and financial information by effectively cutting off the criminals’ access to stolen data.
Sophisticated Criminal Operation
Lumma Stealer represents a growing trend in cybercrime known as “ Malware as a Service (MaaS)”, where criminal developers create sophisticated tools that they then rent to other criminals. This business model has dramatically lowered the barrier to entry for cybercrime, allowing less technically skilled criminals to conduct sophisticated attacks. Lumma was particularly favored by cybercriminals due to its sophisticated evasion techniques and ability to bypass security systems.
“Lumma Stealer emails impersonate known brands and services to deliver links or attachments,” according to Microsoft Threat Intelligence.
The malware employed a multifaceted distribution strategy that included phishing emails, malicious advertising, drive-by downloads, trojanized applications, and abuse of legitimate services. It utilized advanced techniques like EtherHiding and ClickFix to avoid detection by security software. Once installed on a victim’s computer, Lumma would systematically steal browser credentials, cryptocurrency wallet information, and sensitive documents before transmitting them to command and control servers hidden behind Cloudflare proxies.
Global Response and Protective Measures
The successful operation against Lumma Stealer involved coordinated efforts between Microsoft, the U.S. Department of Justice, Europol’s European Cybercrime Center, and Japan’s Cybercrime Control Center. Together, these agencies seized five internet domains used by the malware operators and dismantled approximately 2,300 malicious domains related to the operation. This international collaboration demonstrates the growing recognition that fighting cybercrime requires coordinated global responses.
“The growth and resilience of Lumma Stealer highlight the broader evolution of cybercrime and underscores the need for layered defenses and industry collaboration to counter threats,” according to Microsoft.
To protect against similar threats, Microsoft recommends strengthening Microsoft Defender configurations, requiring multifactor authentication for all users, and implementing phishing-resistant authentication methods. The company has also provided detailed detection information and hunting queries to help organizations identify Lumma Stealer activity on their networks. This proactive approach to security reflects the ongoing battle between cybersecurity professionals and increasingly sophisticated criminal operations targeting our personal and financial information.
“Microsoft remains committed to sharing insights, developing protections, and working with partners across industries to disrupt malicious ecosystems and safeguard users worldwide,” affirmed Microsoft Threat Intelligence.
