Dismantling of the Lumma infostealer cybercrime network

Europol and Microsoft carried out a joint operation to dismantle Lumma, considered the most widespread infostealer in recent years. Between March and May 2025, Microsoft detected more than 394,000 computers infected by Lumma. In a coordinated action with Europol, Microsoft's Digital Crimes Unit (DCU) and other international partners such as the U.S. Department of Justice and the Japan Cybercrime Control Center, Lumma's technical infrastructure was disrupted, blocking its communications with victims. In addition, more than 1,300 domains linked to the malware were seized and redirected to Microsoft DNS sinks.

Lumma is a tool that allowed cybercriminals to collect sensitive data from compromised devices on a large scale. Stolen credentials, financial data and personal information were collected and sold through a specialized marketplace, making Lumma a central tool for identity theft and fraud worldwide. This Lumma marketplace functioned as a hub for buying and selling malware, providing criminals with quick access to advanced data theft functionality.

Europol played the coordinating role by sharing intelligence between European countries, supporting Microsoft's investigations and facilitating a rapid response. The operation also included the shutdown of the malware control panel in the United States, which cybercriminals used to manage infected computers, and the suspension of infrastructure based in Japan, significantly weakening the criminal network behind Lumma.