Dark Side of the Lumma: What the Lumma stealer takedown means for the infostealer market and your personal data

One chapter in the saga of infostealer malware has ended—at least for now—after a global law enforcement takedown of Lumma Stealer in mid-May. US, European, and Japanese authorities, with the help of tech companies including Microsoft and Cloudflare, took down, suspended, and blocked approximately 2,300 malicious domains that made up part of the infostealer’s backbone. The FBI also seized domains that served as login panels allowing other criminals to access and use the infostealer. Although, this seizure is intended to effectively prevent criminals from being able to access Lumma to compromise computers and steal data, the overall stealer threat will remain prevalent for the foreseeable future.

(Interested in learning more about the infostealer threat outlook? Read the LastPass TIME team’s threat predictions and analysis on what direction infostealers and other threats are heading.)

What is Lumma?

Lumma Stealer, also known as LummaC2, dominated the expanding stealer market with significant campaigns since it emerged as early as late 2022. Since its initial release, Lumma’s developers have released multiple upgraded versions of the software. Before the malware-as-a-service (MaaS) platform was dismantled, the FBI linked Lumma to around 10 million infections globally. Lumma’s follow-on attacks involving stealing credentials, cryptocurrency data, and credit card information have resulted in an estimated $36.5 million USD in credit card theft in 2023. The malware hit individuals and a wide range of industries, including Fortune 500 companies, airlines, universities, banks, and hospitals.

What makes this stealer particularly effective is that it continues to evolve to bypass security layers even as defenders are responding to the threat. On top of grabbing browser-stored passwords and cookies, it’s also capable of extracting autofill data, email credentials, File Transfer Protocol (FTP) data, and two-factor authentication tokens and backup codes. Using its MaaS platform, its creators sold access to the malware on multiple underground markets and platforms like Telegram.

What comes next?

This takedown is a major win for law enforcement and will help disrupt the initial access broker ecosystem in the near term. However, this is an ecosystem that has demonstrated its resilience again and again. The number of existing infostealer families, the open access to numerous source codes of previous infostealers, and the constant demand create a lucrative environment with very low barriers to entry. Given the resiliency of this market, other infostealer will likely quickly step in and fill in the gaps left after the Lumma takedown.

A similar pattern previously played out with other similar takedowns. On October 28, 2024, Operation Magnus disrupted the RedLine and META infostealers. RedLine was a significant stealer last year up until the takedown, after which Lumma grew in popularity and took over a portion of the market share previously held by RedLine. Redline infected 9.9 million hosts, or 43% of all infostealer infections observed by Flashpoint in 2024. The next four most-prolific infostealers in 2024, including RisePro, SteaC, Lumma Stealer, and Meta Stealer, infected a combined 7 million hosts.

We expect to see something similar following the Lumma Stealer takedown operation. The disruption effect following takedown is real, but there are still some new infections and logs for sale that were likely stolen before the infrastructure was taken down. Additionally, just because Lumma’s infrastructure was dismantled, a lot of the data it stole likely continues to live on the dark web—thanks to the cybercriminal ecosystem that resells this information. Additionally, CheckPoint reported Lumma’s developers are already trying to rebuild and restart their operations, which may or may not be successful. As SpyCloud’s Trevor Hilligoss shared, daily new Lumma infections have trended downward following the takedown but not as much as expected. Continued monitoring will be necessary to determine the takedown’s impact.

Long-standing groups such as Vidar and Stealc are good examples of this, but other newer families, such as Acreed, will also be well positioned to increase their market share. ReliaQuests already reported Acreed is rapidly gaining traction following the Lumma takedown. Over 4,000 logs stolen by Acreed were reportedly uploaded to the Russian Market within its first week of operations. Nexus has also gained some traction over the last week in Lumma’s absence. Further, former affiliates and/or administrators associated with Lumma itself may split off to create their own offerings.

 

Daily new LummaC2 infections (Source: Trevor Hilligoss)

How to protect yourself against infostealers

The threat from infostealers will remain very real for the foreseeable future and continue to adapt. Oftentimes, stealers are used in indiscriminate campaigns. Additionally, the sheer volume of data that has been dumped on the internet is immense. That means anyone is fair game and should take action to protect themselves following that assumption that they could be targeted.

• Use strong, unique passwords for every account. This will prevent credential stuffing attacks, which is a common tactic where threat actors insert stolen usernames and passwords. That way, if one password is exposed, it won’t give access to all your other accounts where you reuse the same password. Also, consider using a password manager to securely and conveniently store them.
• Enable MFA on your accounts. While this measure isn’t failproof on its own, it adds an additional layer of defense and makes you a harder target.
• Be on guard for phishing attempts. Infostealers often spread through phishing emails and malicious downloads.
• Check HaveIBeenPwned to monitor potential exposure if you’re worried you may have been infected by an infostealer.