Key Points
-
394,000+ Windows devices were infected with Lumma malware between March and May 2025.
-
The malware was used to steal login credentials, financial data, and cryptocurrency wallet access.
Microsoft announced that it has disrupted the operations of the Lumma Stealer malware, a data theft tool that had infected more than 394,000 Windows computers worldwide between March 16 and May 16, according to a company blog post published Wednesday.
The takedown was carried out in coordination with international law enforcement agencies, though Microsoft has not yet disclosed which specific partners were involved in the operation.
The Lumma malware has been identified as a widely used tool by cybercriminals, with capabilities to extract user credentials, credit card data, banking information, and cryptocurrency wallet access.
Microsoft described the malware as a “favored tool” among threat actors targeting both individuals and organizations.
Scope and Impact
Microsoft’s Digital Crimes Unit (DCU) led the investigation and mitigation process. The company did not detail the infrastructure disruption but stated that it had effectively broken down key components of the malware’s operational network.
The malware campaign’s scale, nearly 400,000 infections over two months, indicates a broad and active distribution method. It remains unclear how many users or systems have recovered or are still vulnerable.
The post did not elaborate on whether the malware was spread via phishing, malicious downloads, or other common vectors, though previous strains of Lumma Stealer have often been linked to compromised software packages and spam campaigns.
Ongoing Investigation
This remains a developing story, with Microsoft indicating that additional technical findings and updates will be released. Law enforcement investigations are also ongoing.
