Feds Take Down LummaC2 Malware Network—Crypto Seed Phrase Heist Goes Dark
Law enforcement just pulled the plug on a major cybercriminal operation. Domains tied to LummaC2—malware designed to steal crypto wallet seed phrases—got seized in a coordinated takedown. No more free lunches for these digital pickpockets.
How it worked: The malware lurked in phishing schemes and fake downloads, waiting to swipe the keys to your crypto kingdom. Now? A rare win for the good guys—though let’s be real, the next scam is already cooking in some offshore Telegram group.
Bonus jab: Meanwhile, Wall Street still thinks ‘private keys’ are what concierges hand out at luxury hotels.
Malware on the decline
Malware isn’t as popular as it once was.
According to CrowdStrike’s 2025 Global Threat Report, there has been a shift towards malware-free attacks over the past five years as attackers MOVE to stealthier methods such as phishing, social engineering, access broker services, and trusted relationship abuse.
Last year, 79% of attacks it detected were malware-free, compared to 40% in 2019.
Nevertheless, that doesn’t mean there aren’t willing buyers for Malware-as-a-Service tools like Lumma, which allow relatively unsophisticated threat actors to access advanced capabilities.
The FBI has identified its use in at least 1.7 million theft attempts using Lumma alone.
Crypto wallets are common targets. Earlier this month, researchers identified fake AI bots spreading malware targeting crypto traders, while Inferno Drainer has stolen more than $9 million from wallets over the last six months.
Evolving theft
Launched in around 2022, Lumma has evolved through multiple iterations and is controlled by a Russian developer known online as "Shamel."
Operating openly via Telegram and Russian-language forums, Shamel markets Lumma in tiered service packages that allow buyers to customize, distribute, and track stolen data.
One notable campaign using Lumma involved fake emails impersonating Booking.com used to steal login credentials and empty bank accounts.
The malware has also been linked to attacks on education systems, gaming communities, and critical infrastructure sectors, including healthcare and logistics. Its stealth and flexibility have made it a favored tool among high-profile ransomware groups such as Octo Tempest.
Microsoft said it was continuing to monitor emerging variants of Lumma, warning that the malware remains a potent threat even as its Core infrastructure is being dismantled.
Edited by Sebastian Sinclair
