When Hackers Get Hacked: The Lumma Infostealer Takedown

Posted on May 27, 2025

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

24,000 employee emails and names
500,000 Jira issues and summaries
5,000 internal documents
236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.

When Hackers Get Hacked: The Lumma Infostealer Takedown

Infostealers, News

Posted on May 27, 2025

How global law enforcement dismantled one of the most pervasive infostealer operations, and what it means for credential security

Lumma Stealer (also known as LummaC2) had become today’s most popular and widely used infostealer platform, accounting for the vast majority of infostealer incidents reported by Twilight as early as February.

Source: Twilight Cyber’s February 2025 Infostealer Infection report

This Malware-as-a-Service allowed cybercriminals to steal vast amounts of credentials and personal data from victims, fueling follow-on crimes like financial fraud and ransomware.

Within the past two weeks, a global coalition led by Microsoft’s Digital Crimes Unit (DCU), in partnership with the FBI, DOJ, Europol EC3, Japan’s JC3, and private-sector leaders, coordinated an international takedown of Lumma’s command-and-control infrastructure.

The result? Over 2,300 domains seized, control panels dismantled, and likely, the de-anonymization of hundreds of Lumma’s criminal users.

Twilight Cyber has tracked Lumma since its rise in 2022, and this operation marks a pivotal moment in the ongoing war against infostealers. Read here to learn more about how Lumma Stealer works.

Below, we detail the technical and operational aspects of this takedown, the key players involved, legal actions taken, and the aftermath as observed on dark web and cybercrime forums.

The Disruption Timeline

Key Date(s)	Major Action	Involved Actors	Implications
Mar–May 2025	Microsoft detects ~394,000 Lumma-infected PCs worldwide.	Microsoft DCU, Global victims	Massive scope prompts global disruption campaign.
May 13, 2025	Microsoft/DOJ obtain court order; seize ~2,300 Lumma domains.	Microsoft, DOJ, Lumma operators	Cuts off backbone of Lumma’s C2 network.
May 16, 2025	Servers reformatted via remote exploit (per Lumma dev).	Law enforcement, Lumma	Suggests direct compromise of attacker infra.
May 19-21, 2025	DOJ/FBI seize 5 admin panel domains, incl. criminal replacements.	DOJ, FBI, Europol	Halts operator access to the backend and affiliates.
May 21, 2025	Microsoft, DOJ, Europol publicly announce operation.	Global public-private coalition	Sends message across cybercriminal ecosystem.

Inside the Operation: The “Hacked Back” Moment

Law enforcement actors appear to have infiltrated Lumma’s backend server infrastructure. In a dark web forum post shared by the Lumma developer, the group acknowledged their control panel had been replaced by a seizure banner and their disks formatted.

Lumma acknowledged the attack on the Dark Web

According to the developer, the breach exploited an unknown vulnerability in Dell’s iDRAC remote-management system, allowing remote access and control of servers despite them being hosted in a foreign jurisdiction.

The attackers (in this case, likely law enforcement) reportedly:

Created phishing login panels to bait Lumma affiliates.

Collected real IP addresses of users.

Attempted to access the system’s webcam.

This reversal of tactics was confirmed by Lumma’s own statement that they had to disable iDRAC manually after the breach, noting, “they still have cards up their sleeve.”

Infrastructure Seized and Key Participants

Microsoft’s Digital Crimes Unit kicked off the disruption with a U.S. court order that allowed the seizure of over 2,300 domains tied to Lumma’s command-and-control ecosystem. These weren’t just throwaway addresses; many were core infrastructure, including hardcoded tier-1 C2 servers and redirect domains used by infected machines to exfiltrate stolen data. Visitors to these domains were met with a seizure banner, signaling law enforcement now had control.

Europol’s EC3 and Japan’s JC3 moved in parallel, helping neutralize servers hosted in Europe and Asia. Investigators ultimately took down more than 1,000 active C2 domains, 63 high-level “primary” domains, and 17 obscure fallback nodes hidden across third-party services. The operation also dismantled 93 Telegram channels and several Steam profiles used to encode backup addresses, a clever but now fully exposed tactic Lumma relied on to stay online.

Cloudflare, long abused by Lumma to hide its backend servers behind reverse proxies, joined the coalition too. When Lumma bots began bypassing Cloudflare’s browser verification pages, the company responded by deploying interactive CAPTCHAs the malware couldn’t crack, effectively shutting down remaining outbound traffic.

ESET, BitSight, Black Lotus Labs, CleanDNS, and others contributed intelligence that helped map out Lumma’s infrastructure in full. Domain registrars like GMO Registry supported the legal takedown process, and Orrick, Herrington & Sutcliffe provided the legal firepower to secure court orders across multiple jurisdictions.

This public-private coalition proves that even the most distributed and encrypted malware networks can be traced when enough eyes are watching..

Legal Actions, Arrests, and Ongoing Investigation

So far, no one has been publicly charged or arrested for operating Lumma Stealer. While the group is widely believed to be based in Russia, the recent takedown targeted infrastructure, not individuals – at least for now.

On May 19, the U.S. Department of Justice unsealed warrants to seize five core domains used to distribute the Lumma malware and manage stolen data. Just 48 hours later, those domains were under U.S. government control. In parallel, Microsoft filed a civil suit that resulted in a court order disabling hundreds more associated domains. Together, these actions effectively decapitated the Lumma operation.

Authorities now have access to Lumma’s backend infrastructure, including customer records, transaction logs, and operator communications. Whether this leads to future indictments remains to be seen, especially given the legal hurdles of pursuing suspects in non-extradition countries like Russia.

Still, law enforcement sent a clear signal that more may be coming. Shortly after the takedown, FBI agents infiltrated Lumma’s private Telegram channel for paying customers and posted a message, signed “Federal Bureau of Investigation”. In it, they thanked the admins “for allowing us to be part of the discussion,” informed users that their service was over, and noted that all logs were now in FBI hands. The message also included contact details via Telegram and Signal, a not-so-subtle hint that the Bureau knows exactly who’s been using the platform.

And now, Lumma’s users are left questioning just how much the FBI knows about them, and how long they have before the knock comes.

Reactions in Cybercriminal Communities and Dark Web Impact

Word of Lumma’s takedown spread fast across the dark web. The malware, once proudly advertised on forums like XSS and Exploit by a developer known as “Shamel,” had built a reputation as the go-to infostealer for thousands of cybercriminals. Now, this will likely change forever.

The different price tiers for Lumma

“Lumma lost the trust of its users, and by the time Lumma admins return online, their customers will have moved somewhere else,” one analyst quipped, adding that no criminal wants to stick with a service that had the FBI and Europol visibly meddling in it. Even if the Lumma group were to come back online in the weeks ahead, they would be hard-pressed to win back their clientele. The brand is effectively burned.

With the brand torched and the infrastructure gone, trust in Lumma vanished overnight. In cybercrime circles, reputation is currency, and having your service hijacked by law enforcement is as bad as it gets.

In the vacuum, rival infostealers pounced. Rhadamanthys, an increasingly active competitor, saw a noticeable uptick in campaigns, some even mimicking Lumma’s infection vectors.

We have covered Rhadamanthys in detail. You can find out more about it by reading our full analysis:

Stealers like Raccoon, RedLine, and Meta are also jostling for Lumma’s market share, offering deals and “Lumma migration discounts” in underground forums. On Telegram, dark web shops have begun reselling Lumma logs collected before the takedown, but prices have dipped since the pipeline’s cut off, and the product’s value is fading.

In short, the market is adjusting, but the ripple effects are clear. For the first time in years, the infostealer scene feels unstable.

Conclusion and Outlook

This was a big win. Lumma Stealer didn’t just fade away. It got dismantled, exposed, and publicly humiliated. For one of the most dominant infostealer platforms on the market, that’s a rare kind of death. The infrastructure is gone. The brand is radioactive. The panic in cybercriminal forums is real.

This takedown delivered what defenders rarely get: a true disruption of the infostealer economy. And it worked. For now, at least.

But as with all major busts, the cycle is already beginning again. Criminals are looking for the next Lumma. Alternatives like Rhadamanthys are stepping into the void. New variants will surface. And just like other stealer crews that got too big too fast (RedLine, Raccoon, Vidar) someone else will pick up where Lumma left off. This is a pause, not a finish line.

Which makes this brief moment of quiet the perfect time to reset your approach. The credential theft economy isn’t going anywhere. If anything, it’s about to get more aggressive as actors compete for Lumma’s market share.

This is when defenders should ask:

How are we monitoring for exposed credentials?
How fast can we respond when employee logins hit Telegram channels or dark web marketplaces?

Twilight Cyber’s Role in Combatting Credential Theft

That’s where Twilight comes in. As infostealers evolve and new players rush to fill the void Lumma left behind, real-time visibility into credential exposure is a must.

At Twilight, we track stealer logs as they’re leaked, sold, or circulated across Telegram, dark web forums, and malware marketplaces. Our platform connects the dots between malware infections, credential theft, and threat actor chatter, giving organizations immediate insight when their data is compromised.

Whether it’s a single set of leaked credentials or a full-blown stealer campaign targeting your region or sector, Twilight delivers early warning, context, and actionable intelligence, so you can stop credential misuse before it turns into something worse.

Ready to protect your credentials? Contact us now to get started.