Microsoft leads global takedown of crypto-stealing Lumma malware network

A shadowy piece of malware infected nearly 400,000 computers. The malware stole passwords, drained crypto wallets, and evaded security systems across the globe, but Microsoft has just shut it down.

Microsoft has spearheaded an international operation to dismantle the Lumma Stealer, a dangerous malware-as-a-service tool used to siphon off cryptocurrency, banking credentials, and personal data from hundreds of thousands of victims worldwide.

The Lumma malware, which surfaced in 2022, has become a preferred tool among cybercriminals for its ease of deployment and ability to evade detection. Hackers have used it not only to target individuals but also to orchestrate large-scale ransomware campaigns and phishing attacks. 

In many cases, victims were duped through fake emails impersonating companies like Microsoft and Booking.com.

Microsoft’s Digital Crimes Unit (DCU), working alongside the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center, executed a coordinated takedown of Lumma’s infrastructure. 

A federal court order authorized the seizure of over 2,300 domains and the malware’s central servers, disrupting communications between infected devices and the malware operators.

The individual behind Lumma is known by the alias “Shamel,” believed to be operating out of Russia. Investigators say he used encrypted platforms like Telegram to distribute the malware and coordinate sales to other cybercriminals.

Between March 16 and May 16, Microsoft identified over 394,000 Windows devices infected with Lumma globally. The malware operated by bypassing security protections and extracting login credentials, cryptocurrency wallet keys, and other sensitive data. 

Microsoft and its partners also began redirecting over 1,000 formerly malicious domains to internal servers for analysis, aiding ongoing efforts to understand and neutralize similar threats.

This action represents a significant step in the global ongoing campaign against cybercriminal networks. But as long as criminals can operate with impunity in certain jurisdictions and come up with better tools, these threats will persist.

This past April, Kaspersky, a leader in cybersecurity and antivirus solutions, uncovered cybercriminals embedding harmful software into Microsoft Office add-ins to alter cryptocurrency addresses. The Anti-Malware Research Team at Kaspersky pointed out that while the “officepackage” on SourceForge appears to hold genuine Microsoft Office add-ins, it also contains ClipBanker; a sneaky malware designed to swap out copied crypto wallet addresses with those belonging to the attackers.

“Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected,” Kaspersky warned.

Later that month, AMLBot released a revealing report, outlining how numerous wallet draining operations have embraced a SaaS approach, even marketing their services at IT fairs. Slava Demchuk, CEO of AMLBot, stated, “previously, entering the world of cryptocurrency scams required a fair amount of technical knowledge.” But thanks to Drainer-as-a-Service (DaaS), “getting started isn’t significantly more difficult than with other types of cybercrime.”

Microsoft has called on governments to refrain from offering sanctuary to malware developers and distributors. Microsoft emphasized the need for constant innovation in cybersecurity tactics and reaffirmed its commitment to working with law enforcement and tech partners globally to neutralize evolving threats.

Microsoft’s efforts represent one of the most aggressive takedowns of a malware-as-a-service operation to date, and this could serve as a warning to cybercriminal networks that rely on decentralized infrastructure and cross-border anonymity to evade justice.