Lumma Stealer Disruption: A Comprehensive Analysis of the World's Most Prolific Infostealer Takedown
Executive Summary
On May 13, 2025, Microsoft's Digital Crimes Unit (DCU), in coordination with international law enforcement agencies including Europol's European Cybercrime Center (EC3), the U.S. Department of Justice, and Japan's Cybercrime Control Center (JC3), executed a landmark operation to disrupt the infrastructure of Lumma Stealer—the world's most significant infostealer threat. This coordinated takedown represents one of the most comprehensive actions against malware-as-a-service (MaaS) operations to date, resulting in the seizure of approximately 2,300 malicious domains and the disruption of critical command-and-control infrastructure.
Between March 16 and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by Lumma malware, highlighting the unprecedent scale and reach of this cybercriminal enterprise. This report provides a detailed analysis of the takedown operation, supported by threat intelligence data from Alphatechs' Sphere platform, which demonstrates the broader implications of this disruption for the cybersecurity landscape.
Background: The Lumma Stealer Threat Landscape
Malware Overview
Lumma Stealer, also known as LummaC2, emerged as a Malware-as-a-Service offering in late 2022, quickly establishing itself as the preferred tool for cybercriminals worldwide. The malware impersonates trusted brands, including Microsoft, and is deployed via spear-phishing emails and malvertising, among other vectors. It's popularity stems from three key characteristics:
- Ease of distribution: Simple deployment mechanisms requiring minimal technical expertise.
- Detection evasion: Advanced capabilities to bypass traditional security defenses.
- Monetization efficiency: Streamlined processes for stealing and monetizing sensitive data.
Operational Model
The primary developer of Lumma is based in Russia and goes by the internet alias "Shamel." Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums. The operation functioned as a sophisticated business model, complete with:
- Tiered service offerings: Multiple subscription levels for different cybercriminal needs.
- Brand development: Distinctive bird logo symbolizing "peace, lightness, and tranquility".
- Customer support: Professional-grade support systems for criminal clients.
- Marketplace integration: Dedicated platforms for selling stolen credentials.
In November 2023 interview, Shamel disclosed having "about 400 active clients," demonstrating the scale of the criminal ecosystem built around Lumma Stealer.
Global Impact and Geographic Distribution
Methodology and Data Collection
Alphatechs' Sphere threat intelligence platform maintains continuous monitoring of global infostealer activities. Following the May 13, 2025 Lumma Stealer takedown, we conducted a focused analysis of the 62-day period from March 20 to May 20, 2025, to assess the threat landscape surrounding this major disruption operation. This analysis, covering 881,387 compromised systems across multiple threat vectors, provides crucial insights that complement the official takedown statistics.
Visual Data Analysis
The following visualizations provide comprehensive insights into the threat landscape during the monitoring period. These graphs illustrate the scale and distribution of infostealer activities,offering a detailed view of infection patterns, threat attribution, and security control effectiveness.
Graph 1: Daily Systems Infected Distribution -Temporal analysis showing daily infection volumes across the 62-day monitoring period, revealing operational patterns and campaign intensities.
Graph 2: Complete Infostealer Family Distribution - Comprehensive breakdown of all 10 identified stealer families plus unknown threats, demonstrating the threat attribution landscape.
Graph 3: Antivirus Installation Failures - Analysis of security software present on compromised systems, highlighting the effectiveness gaps in current endpoint protection solutions.
Key Findings
Daily Infection Patterns
Our analysis revealed significant variations in daily infection rates:
- Minimum daily infections: 6,188 systems (March 31, 2025)
- Peak daily infections: 26,758 systems (May 11, 2025)
- Average daily infections: ~14,200 systems
- Total monitored period: 62 days (March 20 - May 20, 2025)
The data demonstrates sustained high-volume infection rates throughout the monitoring period, with notable spikes that may correlate with specific campaign launches or infrastructure changes.The daily distribution chart (Graph 1) illustrates the temporal patterns of system compromises, revealing both baseline infection levels and significant operational peaks that may indicate coordinated attack campaigns.
Infostealer Family Distribution
Analysis of the complete threat landscape reveals the dominance of specific malware families:
Identified Threats (47.1% of total infections):
- Lumma Stealer: 242,091 infections (27.5% of total systems)
- RedLine Stealer: 135,343 infections (15.4% of total systems)
- Vidar: 17,649 infections (2.0% of total systems)
- Octopus: 7,544 infections (0.9% of total systems)
- Meta: 7,416 infections (0.8% of total systems)
- Nexus: 1,929 infections (0.2% of total systems)
- StealC: 1,735 infections (0.2% of total systems)
- Taurus: 880 infections (0.1% of total systems)
- Mystic: 650 infections (0.1% of total systems)
- Raccoon: 63 infections (0.01% of total systems)
Unknown/Unattributed: 466,087 infections (52.9%of total systems)
The stealer distribution visualization (Graph 2) provides a comprehensive view of all identified infostealer families active during the monitoring period. Notably, the largest segment represents unknown or unattributed threats, reflecting the complex attribution challenges posed by rapidly evolving malware variants, polymorphic techniques, and sophisticated evasion methods. These attribution difficulties highlight that over half of all infections stem from threats that are either genuinely novel, represent advanced variants of known families, or employ techniques that successfully obscure their identification and classification.
Security Solution Effectiveness Analysis
Critical findings regarding antivirus protection on compromised systems reveal significant gaps in current security postures:
Top Antivirus Products on Infected Systems:
- Windows Defender: 442,070 installations (56.2% of detected AV)
- Unknown/Other: 311,297 installations (39.6%)
- McAfee: 7,782 installations (1.0%)
- Avast: 7,013 installations (0.9%)
- Norton: 2,559 installations (0.3%)
Security Implications:
- Total antivirus failures: 786,041 installations that failed to prevent infection
- Windows Defender represented the majority of failed protections
- Premium security solutions also demonstrated significant failure rates
The antivirus distribution analysis (Graph 3) reveals a sobering reality about current endpoint protection effectiveness. This data represents antivirus software that was installed on systems at the time of compromise, indicating that traditional signature-based and behavioral detection methods are insufficient against modern infostealer techniques. The predominance of Windows Defender failures (56.2%) suggests that default Windows security configurations may require enhancement, while the presence of premium solutions among failed protections indicates that even advanced commercial security products struggle against sophisticated evasion techniques employed by contemporary malware families.
Conclusion
The coordinated takedown of Lumma Stealer infrastructure represents a milepost in global cybersecurity cooperation. The operation's success demonstrates the effectiveness of combining legala ction, technical expertise, and international collaboration to disrupt sophisticated cybercriminal enterprises.
However, the threat intelligence data from Sphere reveals the broader challenge facing the cybersecurity community. With 52.9% of infections attributed to unknown or unidentified threats, and significant failure rates among established security solutions, the cybersecurity landscape continues to evolve rapidly.
The Lumma Stealer case underscores several critical lessons:
- Scale of the threat: Modern malware-as-a-service operations operate at unprecedented scales, affecting hundreds of thousands of systems globally.
- Security solution gaps: Traditional antivirus solutions, including Windows Defender, demonstrate significant limitations against modern infostealers.
- Collaboration effectiveness: Coordinated public-private partnerships can achieve meaningful disruption of cybercriminal infrastructure.
- Persistent threats: Cybercriminals will likely attempt to rebuild infrastructure, requiring sustained monitoring and response capabilities.
As the cybersecurity community continues to adapt to evolving threats, the Lumma Stealer takedown provides a valuable blueprint for future disruption operations.
However, experience from previous major takedowns, such as the RedLine Stealer disruption, reveals two common patterns in the cybercriminal ecosystem's response: either new malware families rapidly emerge to fill the operational void, or the disrupted operation itself attempts to rebuild with enhanced evasion capabilities.
The question facing the cybersecurity community is whether Lumma's operators will successfully restore the infrastructure—potentially with improved resilience against future takedowns—or whether emerging competitors will permanently claim the market leadership position. Either outcome typically occurs with remarkable speed in the dynamic threat landscape.
Note:
This analysis was prepared by Alphatechs using data from the Sphere threat intelligence platform and publicly available information from Microsoft, Europol, and other participating organizations. The findings represent observations from March 20 - May 20, 2025, and contribute to the broader understanding of the global infostealer threat landscape.
References:
