The tool called Lumma Stealer had infected more than 394,000 Windows computers worldwide between March and May, Microsoft said in a blog post on Wednesday, May 21. Hackers used the malware to target schools, hospitals, banks, and gaming communities, often holding victims for ransom or committing financial fraud.

A federal court order allowed Microsoft's digital crimes unit to seize more than 2,300 web domains that powered the malware's operations. At the same time, the Department of Justice shut down Lumma's command center and disrupted marketplaces where the tool was sold to other criminals.

The DOJ said Lumma was involved in at least 1.7 million attacks around the world.

"This joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream," said Microsoft.

The FBI's Dallas Field Office led the investigation, which dismantled the portals that criminals used to control infected devices.

"The FBI is committed to disrupting the key services that cyber criminals rely on," said Bryan Vorndran, assistant director of the FBI's cyber division. "That's why, with our partners, we took action against the most popular infostealer service available in online criminal markets, which is responsible for millions of attacks against victims."

Lumma has been sold on underground online forums since at least 2022 as "malware-as-a-service" (MaaS). It steals logins, credit cards, and cryptocurrency wallets, and has been especially dangerous because it can sneak past common security tools.

The malware's developer, a Russia-based figure known online as "Shamel," marketed Lumma in different pricing tiers, including a $20,000 plan with full source code access. Lumma had a distinct bird logo to represent "peace, lightness, and tranquility," along with the slogan "making money with us is just as easy."

According to Microsoft, Shamel claimed to have about 400 active clients.

"Shamel's ability to operate openly underscores the importance for countries worldwide to address the issue of safe havens and to advocate for the rigorous enforcement of due diligence obligations under international law," Microsoft said.

Hackers deployed Lumma through fake Booking.com emails and fraudulent CAPTCHA popups. One phishing scam, discovered in March, tricked hotel staff into clicking a fake "review feedback" link, installing Lumma on their systems.

The malware has hit critical infrastructure across sectors like manufacturing, finance, telecommunications, and healthcare, according to Microsoft. More than 1,300 domains are now rerouted to Microsoft-controlled "sinkholes" that cut off communication between the malware and infected devices.

The "sinkholes" aim to help investigators track and clean up infected systems.

"Disrupting the tools cybercriminals frequently use can create a significant and lasting impact on cybercrime, as rebuilding malicious infrastructure and sourcing new exploit tools takes time and costs money," said Microsoft. "By severing access to mechanisms cybercriminals use, such as Lumma, we can significantly disrupt the operations of countless malicious actors through a single action."

Along with US authorities, cybercrime investigation units from the European Union and Japan assisted in the case. Cybersecurity firms like Bitsight, CleanDNS, Cloudflare, ESET, GMO Registry, and Lumen also helped in the investigation.

Microsoft urges users to protect themselves by enabling multi-factor authentication, updating anti-malware software, and avoiding suspicious email links or attachments.

