A spectacular global operation against cybercriminals has drawn worldwide attention. In May 2025, a powerful international coalition—comprising Europol, the FBI, Microsoft, and other agencies—carried out a major takedown targeting the infrastructure of Lumma Infostealer, which experts from Check Point Research have described as one of the most dangerous data theft tools in history. In just three months, the malware infected nearly 400,000 Windows devices.
Known as Lumma or LummaC2, this Malware-as-a-Service (MaaS) has been active since 2022, enabling hackers to steal login credentials, financial information, and cryptocurrency wallet contents from both companies and individuals. Due to its flexibility and effectiveness, Lumma became a favorite tool among notorious cybercriminal groups like Scattered Spider and Angry Likho.
A Historic Takedown
The joint law enforcement operation, conducted on May 21, 2025, was unprecedented in scope. Authorities seized over 2,300 domains, blocked command-and-control (C2) servers, and wiped out backup copies. Although the primary server—located in Russia—remained out of reach for law enforcement, the coalition managed to exploit a vulnerability in Dell’s iDRAC system to infiltrate and neutralize it. The move was hailed as a milestone in cooperation between security agencies and the tech industry.
But within days, the situation took a surprising turn.
Lumma’s Resurrection?
Just days after the operation, Lumma’s developer, known online as “Shamel”, announced on underground cybercrime forums that “everything has been restored” and that operations were returning to normal. Despite the heavy blow dealt to its infrastructure, Lumma’s strong reputation among cybercriminals is helping fuel its comeback.
“This is not just a technical takedown—this is also a fight for reputation,” said Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software. “The Lumma developers are trying to make it appear as if everything is fine, but trust within the cybercrime community is beginning to crack. The coming weeks will be crucial.”
Although the international coalition and Microsoft scored a clear victory, Lumma has not been fully eliminated. The malware community is closely watching how the situation unfolds, with many expecting a return to full functionality or a relaunch in a more covert format.
Into the Shadows?
Some security analysts speculate that Lumma may now go underground, operating in smaller, closed circles to avoid further disruption. This would make detection and neutralization far more difficult, as underground forums and malware markets become harder to penetrate.
Staying Ahead of the Threat
In light of these developments, cybersecurity experts emphasize the need for robust protective measures—such as antivirus solutions with built-in firewalls and data protection features. They warn that the fight against cybercrime is a constant cat-and-mouse game, where victories can be short-lived unless backed by vigilance and adaptability.
“Successes like this takedown are critical,” said one analyst, “but without continued awareness, evolving defenses, and international cooperation, such threats will always find a way to resurface.”
Source: ManagerPlus.pl – Hackers Restore Dangerous Malware That Infected 400,000 Devices in Three Months
