In brief
- The U.S. and international authorities have seized key infrastructure tied to the LummaC2 info-stealer
- The malware targets information such as crypto wallet seed phrases
- Lumma is linked to over 1.7 million theft attempts and active in 394,000 global infections, according to Microsoft
Law enforcement agencies have seized key infrastructure linked to LummaC2, a malware operation that targeted millions of victims worldwide, including by stealing crypto wallet seed phrases, according to a U.S. Department of Justice announcement on Wednesday.
The seizures were part of a coordinated international effort involving the DOJ, Europol, Japan's Cybercrime Control Center, Microsoft, and private cybersecurity partners.
Following the initial DOJ seizure of two websites on May 19, Lumma administrators scrambled to establish three new domains, only to have those seized the next day.
Microsoft additionally identified over 394,000 infections on Windows systems globally between March and May 2025. Through a civil action filed earlier this month, Microsoft’s Digital Crimes Unit seized and disabled over 2,300 domains supporting Lumma’s infrastructure.
Fake AI Tools Used to Spread Noodlophile Crypto Wallet Stealing Malware
People are being tricked into downloading fake AI tools as a way to spread the information stealer malware Noodlophile. This malware is able to harvest browser credentials, cryptocurrency wallet information and more sensitive data, according to a security researcher. Morphisec researcher Shmuel Uzan said, in a report, "Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms – often advertised via legitimate-looking Facebook groups and viral...
"Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft," said Matthew R. Galeotti, head of the DOJ's Criminal Division, in a statement.
Malware on the decline
Malware isn’t as popular as it once was.
According to CrowdStrike's 2025 Global Threat Report, there has been a shift towards malware-free attacks over the past five years as attackers move to stealthier methods such as phishing, social engineering, access broker services, and trusted relationship abuse.
Last year, 79% of attacks it detected were malware-free, compared to 40% in 2019.
Nevertheless, that doesn’t mean there aren’t willing buyers for Malware-as-a-Service tools like Lumma, which allow relatively unsophisticated threat actors to access advanced capabilities.
The FBI has identified its use in at least 1.7 million theft attempts using Lumma alone.
Crypto wallets are common targets. Earlier this month, researchers identified fake AI bots spreading malware targeting crypto traders, while Inferno Drainer has stolen more than $9 million from wallets over the last six months.
Inferno Drainer Malware Returns, Stealing $9M from Crypto Wallets in Six Months
Crypto-stealing malware Inferno Drainer remains in operation despite publicly shutting down—and has has been used to snatch over $9 million from crypto wallets over the past six months. According to cybersecurity firm Check Point Research, over 30,000 crypto wallets have been drained by the resurgent malware campaign, whose developers claimed to have ceased operations in November 2023. Deep Dive into Inferno Drainer Reloaded: tracing malicious smart contracts, decrypting drainer configs, and fu...
Evolving theft
Launched in around 2022, Lumma has evolved through multiple iterations and is controlled by a Russian developer known online as "Shamel."
Operating openly via Telegram and Russian-language forums, Shamel markets Lumma in tiered service packages that allow buyers to customize, distribute, and track stolen data.
One notable campaign using Lumma involved fake emails impersonating Booking.com used to steal login credentials and empty bank accounts.
The malware has also been linked to attacks on education systems, gaming communities, and critical infrastructure sectors, including healthcare and logistics. Its stealth and flexibility have made it a favored tool among high-profile ransomware groups such as Octo Tempest.
Microsoft said it was continuing to monitor emerging variants of Lumma, warning that the malware remains a potent threat even as its core infrastructure is being dismantled.
Edited by Sebastian Sinclair
