Microsoft and European law enforcement agencies have successfully disrupted Lumma Stealer, described as the world’s most significant information-stealing malware threat, after identifying more than 394,000 infected Windows computers globally.
The joint operation, coordinated by Europol’s European Cybercrime Centre between 16 March and 16 May 2025, targeted the sophisticated criminal ecosystem that enabled large-scale exploitation of stolen personal and financial data.
Microsoft’s Digital Crimes Unit worked alongside international partners to disrupt Lumma’s technical infrastructure, severing communications between the malicious software and victims’ computers. More than 1,300 domains were seized or transferred to Microsoft, including 300 domains actioned by law enforcement with Europol’s support, which will now be redirected to Microsoft sinkholes.
“This operation is a clear example of how public-private partnerships are transforming the fight against cybercrime,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre. “By combining Europol’s coordination capabilities with Microsoft’s technical insights, a vast criminal infrastructure has been disrupted. Cybercriminals thrive on fragmentation – but together, we are stronger.”
Lumma Stealer operated as a malware-as-a-service offering, enabling cybercriminals to steal data from browsers, cryptocurrency wallets, and various applications before selling the information through a dedicated marketplace. The software was capable of harvesting saved passwords, session cookies, financial data, and personal documents from compromised devices.
The malware’s distribution methods were particularly sophisticated, employing multiple delivery vectors including phishing emails impersonating known brands, malicious advertisements in search results, compromised websites, and fake applications distributed through file-sharing platforms. In some cases, threat actors used deceptive techniques such as fake CAPTCHA pages to trick users into executing malicious commands.
Microsoft’s investigation revealed that Lumma affiliates included ransomware groups and other financially motivated threat actors. The malware demonstrated remarkable resilience through its dynamic infrastructure, with operators continually rotating domains and exploiting legitimate cloud services to evade detection.
The United States Department of Justice seized Lumma’s control panel, whilst collaboration with Japan’s Cybercrime Control Center led to the suspension of infrastructure based in Japan. The operation was conducted under Article 26 of Europol’s Regulation, which permits collaboration with private parties to combat serious crime.
Microsoft described the operation as part of its broader strategy to deliver security through public-private partnerships, emphasising that the fight against cyber threats cannot be won by law enforcement alone.
