Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Lumma Stealer (also known as LummaC2) has emerged as a rapidly growing information-stealing malware-as-a-service (MaaS). It stealthily extracts browser credentials, two-factor tokens and cryptocurrency wallet data from infected PCs. 

A Red Canary report labeled LummaC2 “the most popular infostealer of 2024.” and Twilight Cyber’s own telemetry confirms its dominance well into 2025, with Lumma accounting for nearly 40% of all infostealer-related incidents we’ve tracked since the start of the year.

Despite a recent crackdown on the group, which Twilight covered in detail on May 27th, our research shows that the impact was short-lived. LummaC2 infections quickly rebounded and have continued at scale, averaging nearly 4,000 new infections per day since the takedown.

Law Enforcement Strikes at Lumma

In spring 2025, a coordinated international takedown sought to disrupt Lumma’s infrastructure. In May 2025, U.S. authorities announced that FBI and CISA teams (working with Microsoft and Europol) seized Lumma’s command-and-control servers and thousands of malicious domains used by the stealer. 

Over 2,300 Lumma-related web domains were blocked as part of this operation. Microsoft’s filings note that this action “severed communications” between the malware and infected systems, effectively taking down Lumma’s panel servers. 

These moves were widely publicized as a major blow to the malware. Unfortunately, that hasn’t been the case.

For more details about the crackdown, read our full post:

Persistence of Lumma Post-Crackdown

Despite the takedown headlines, LummaC2 has not disappeared. 

Just days after the crackdown was publicized, researchers from Check Point observed that LummaC2’s command-and-control servers remained operational and that the volume of stolen data linked to the operation continued to grow. 

The stealer’s developers were already working to reinstate the activity and to resume business as usual, signaling a swift and determined return to the cybercrime marketplace.

Twilight Cyber’s own monitoring confirms continued Lumma activity after May 21, 2025. Our data show thousands of Lumma infection events per day even after the crackdown, far higher than any other stealer. 

On average, there were 4,000 new Lumma infections every day, peaking at 7,025 on June 1st (10 days after the coordinated attack on the infostealer’s infrastructure).

This means that Lumma remains the most active and widespread infostealer in circulation today, continuing to compromise thousands of systems daily, with a reach that far outpaces that of its competitors.

Lumma remains the most popular infostealer:

For perspective, our telemetry from January 2024 to June 2025 logged over 2.4 million Lumma-related events. By contrast, the next-most prevalent stealers (RisePro, StealC, RedLine, Rhadamanthys etc.) each appeared only in the hundreds of thousands. 

In other words, LummaC2 accounted for roughly 40% of all infostealer detections in our dataset, way beyond any competitor. This aligns with industry observations: for example, researchers noted that in late 2024 Lumma was behind ~92% of all credential “logs” sold on a major Russian marketplace.

Twilight research also supports this. By mid-2025, LummaC2 accounted for nearly 90% of all observed infostealer activity. A sharp dip in March reflects a temporary rise in competing stealers, but Lumma quickly regained ground.

Lumma infections appear on every inhabited continent (Source: Microsoft)

The massive number of stolen credentials Lumma has accumulated (and continues to accumulate) poses an ongoing risk of fraud and account takeover (ATO). Industry reports confirm the danger: stolen passwords, cookies and crypto seeds in Lumma logs have already fueled countless downstream attacks. 

Therefore, organizations cannot take Lumma’s threat lightly. Even if further crackdowns slow it down, the stealer’s widespread infrastructure, active development, and massive cache of previously stolen credentials ensure it will remain a persistent risk.

Defend Against Infostealers With Twilight Cyber

At Twilight Cyber, our threat intelligence team tracks infostealers like Lumma in real time. We ingest global telemetry and dark web data to spot spikes in activity and emerging variants. Key elements of our approach include:

• Real-Time Credential Monitoring: We continuously mine leaked credential feeds and shopping forums for Lumma-stealer logs, enabling early warning when new stolen-password dumps surface.
• Account Takeover (ATO) Prevention: Crucially, we link credential intelligence with access controls. When Twilight sees a credential likely coming from a Lumma infection, our system automatically flags and blocks suspicious login attempts. This stops attackers from using stolen data to break into accounts or seed ransomware chains.

Twilight’s layered defenses mean that even if Lumma breaches an endpoint, the stolen data it exfiltrates is much harder for criminals to abuse. Our customers benefit from accelerated detection and automated blocking of infostealer-driven account takeovers.

Contact us to learn how Twilight’s specialized infostealer monitoring and ATO-prevention solutions can safeguard your organization against credential theft and fraud.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox