On Wednesday, Microsoft announced a major takedown of the Lumma Stealer malware project, conducted in collaboration with international law enforcement agencies. In a blog post, the tech giant revealed that its Digital Crimes Unit (DCU) identified over 394,000 Windows computers infected with Lumma malware globally between March 16 and May 16.

Lumma: A Go-To Tool for Cybercriminals

Since at least 2022, hackers have been purchasing the Lumma malware through underground online forums. During this time, developers were “continually improving their capabilities,” making the malware the “go-to tool for cybercriminals and online threat actors” due to its ease of propagation and ability to circumvent certain security measures with the correct programming.

Court Order Helps Disable Malware Infrastructure

According to Microsoft, a court order from the U.S. District Court for the Northern District of Georgia enabled its Digital Crimes Unit to take down the web domains that supported Lumma’s backend infrastructure. After that, Lumma’s “central command structure” was taken over by the U.S. Department of Justice, which also successfully shut down internet marketplaces where the virus was being peddled.

Japan and Europol Join the Global Operation

The cybercrime control center of Japan “facilitated the suspension of locally based Lumma infrastructure.”  The blog post said

“Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims,”

Microsoft said in the post.

“Moreover, more than 1,300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes.”

Industry Partners Also Contributed

Tech industry leaders, including Cloudflare, Bitsight, and Lumen, collaborated with Microsoft to break down the border Lumma malware ecosystem. Their support played a key role in cutting off critical infrastructure used by cybercriminals.

Real-World Examples of Lumma in Action

One recent case cited by Microsoft involved a March 2025 phishing campaign, in which criminals posed as Booking.com representatives to trick users. Using Lumma malware, they carried out financial fraud through this elaborate scheme. Microsoft also noted that Lumma has been used to target online gaming communities and educational institutions, while other cybersecurity firms have reported attacks on manufacturing, logistics, healthcare, and critical infrastructure sectors.