Earlier this month, a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer operation seized thousands of domains, part of its infrastructure backbone worldwide.

Microsoft Threat Intelligence observed the persistent growth and operational sophistication of Lumma Stealer, an info-stealing malware used by multiple financially motivated threat actors to target various industries.

According to FBI Deputy Assistant Director for Cyber Operations Brett Leatherman, who called it the "most prolific information stealer for sale in online criminal markets," Lumma has been used in at least 1.7 million instances of this kind of data theft since November 2023.

Authorities have seized key infrastructure of a malware service used to steal crypto wallet data and other credentials from millions.

Between March and May 2025, Microsoft found more than 394,000 computers infected with Lumma Stealer worldwide. Over 1,300 of the seized domains will now redirect to Microsoft "sinkholes," which are special servers that safely collect data from infected computers to help experts study the threat and protect users.