Microsoft Threat Intelligence observed the persistent growth and operational sophistication of Lumma Stealer, an info-stealing malware used by multiple financially motivated threat actors to target various industries.

US, European, and Japanese authorities, along with tech companies including Microsoft and Cloudflare, say they’ve disrupted Lumma, an infostealer popular with criminal gangs.

Earlier this month, a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer operation seized thousands of domains, part of its infrastructure backbone worldwide.

The bustling enterprise, recently disrupted by a global effort including ESET, is notorious for going after all manner of sensitive data, including passwords, credit card numbers, and cryptowallet info.

Between March and May 2025, Microsoft found more than 394,000 computers infected with Lumma Stealer worldwide. Over 1,300 of the seized domains will now redirect to Microsoft "sinkholes," which are special servers that safely collect data from infected computers to help experts study the threat and protect users.