Law Enforcement Seize Domains Linked to Seed Phrase Stealing Malware LummaC2

Law enforcement agencies have seized key infrastructure linked to LummaC2, a malware operation that targeted millions of victims worldwide, including by stealing crypto wallet seed phrases, according to a U.S. Department of Justice announcement on Wednesday.

The seizures were part of a coordinated international effort involving the DOJ, Europol, Japan’s Cybercrime Control Center, Microsoft, and private cybersecurity partners.

Following the initial DOJ seizure of two websites on May 19, Lumma administrators scrambled to establish three new domains, only to have those seized the next day. 

Microsoft additionally identified over 394,000 infections on Windows systems globally between March and May 2025. Through a civil action filed earlier this month, Microsoft’s Digital Crimes Unit seized and disabled over 2,300 domains supporting Lumma’s infrastructure.

“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew R. Galeotti, head of the DOJ’s Criminal Division, in a statement.

Malware on the decline

Malware isn’t as popular as it once was.

According to CrowdStrike’s 2025 Global Threat Report, there has been a shift towards malware-free attacks over the past five years as attackers move to stealthier methods such as phishing, social engineering, access broker services, and trusted relationship abuse.

Last year, 79% of attacks it detected were malware-free, compared to 40% in 2019.

Nevertheless, that doesn’t mean there aren’t willing buyers for Malware-as-a-Service tools like Lumma, which allow relatively unsophisticated threat actors to access advanced capabilities.

The FBI has identified its use in at least 1.7 million theft attempts using Lumma alone. 

Crypto wallets are common targets. Earlier this month, researchers identified fake AI bots spreading malware targeting crypto traders, while Inferno Drainer has stolen more than $9 million from wallets over the last six months.

Evolving theft

Launched in around 2022, Lumma has evolved through multiple iterations and is controlled by a Russian developer known online as “Shamel.”

Operating openly via Telegram and Russian-language forums, Shamel markets Lumma in tiered service packages that allow buyers to customize, distribute, and track stolen data.

One notable campaign using Lumma involved fake emails impersonating Booking.com used to steal login credentials and empty bank accounts.

The malware has also been linked to attacks on education systems, gaming communities, and critical infrastructure sectors, including healthcare and logistics. Its stealth and flexibility have made it a favored tool among high-profile ransomware groups such as Octo Tempest.

Microsoft said it was continuing to monitor emerging variants of Lumma, warning that the malware remains a potent threat even as its core infrastructure is being dismantled.

Edited by Sebastian Sinclair

Source