Microsoft Declares War on Lumma Stealer—Nukes Thousands of Malware Sites in Legal Blitz

Redmond just dropped the hammer. Microsoft’s digital SWAT team took down thousands of domains tied to the Lumma Stealer malware—because apparently even cybercriminals can’t escape 2025’s brutal tech layoffs.

The legal strike cripples one of the most aggressive data-siphoning tools targeting crypto wallets and banking credentials. No more ’steal now, cash out later’ for these guys—unless they pivot to writing Substack newsletters about decentralized finance like everyone else.

Lumma Used to Harvest Passwords, Credentials

Launched in 2022 and continually upgraded, Lumma has been distributed through underground forums and used to harvest passwords, credit card numbers, bank credentials, and digital asset data.

Between March 16 and May 16, Microsoft said it identified more than 394,000 Windows devices infected with Lumma Stealer.

The company coordinated with law enforcement and cybersecurity firms to sever communication between the malware and infected machines.

The action comes amid a broader surge in malware and crypto-focused cybercrime.

Earlier this week, printer manufacturer Procolored was found to be distributing Bitcoin-draining malware bundled with official device drivers, leading to nearly $1 million in stolen crypto.

The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user’s clipboard and replace it with the attacker’s address: 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj

According to @MistTrack_io, the attacker has stolen 9.3086… https://t.co/DHCkEpHhuH pic.twitter.com/W1AnUpswLU

Chainalysis reported in February that $51 billion in crypto was stolen in 2024 alone, with fraud cartels, state-backed hackers, and AI-assisted scams leading the surge.

The FBI noted $9.3 billion in crypto scam losses in the U.S. last year, with older adults hit hardest.

Crypto Drainers Offered as SaaS Tools

Crypto drainers, malicious tools used to empty digital wallets, have become common on phishing sites, fake airdrops, and browser extensions.

According to AMLBot, these drainers are now offered as SaaS tools, available to low-level criminals for as little as $100.

Aspiring scammers can join online communities where experienced criminals offer tutorials, transforming phishing novices into crypto drainers with ease.

Some DaaS groups have become so confident in their operations that they reportedly advertise openly — even setting up booths at industry events.

AMLBot’s investigators uncovered listings for malware targeting platforms like Hedera (HBAR), demonstrating how technical talent is actively sourced in niche online spaces.

The rise of drainers has led to significant financial losses. In 2024 alone, Scam Sniffer reported $494 million stolen through such schemes — a 67% increase from the previous year.

Cybersecurity firm Kaspersky also noted a sharp rise in darknet forums dedicated to drainer tools, growing from 55 in 2022 to 129 by 2024.

While Telegram once served as a haven for cybercriminals due to its strict privacy policies, concerns emerged after reports that the platform began sharing data with authorities.

This has driven many bad actors back to the Tor network, where anonymity is easier to maintain.