LummaC2 Takedown – The Dark Web Timeline

**Note: Despite the success of law enforcement and corporations, the threat from similar infostealers remains high and must be monitored.**

Since its emergence in late 2022, LummaC2, also known simply as Lumma, has become one of the most popular infostealers on the market. Sold as a Malware-as-a-Service (MaaS), Lumma uses sophisticated penetration and evasion techniques, exfiltrating sensitive data such as passwords, browser cookies, and crypto wallets, all while remaining undetected. 

Lumma’s easy-to-use, web-based control panel allows its users to easily retrieve and distribute their logs. Lumma’s users mainly distribute stealer logs to free or premium Telegram channels, as well as Dark Web marketplaces. As a result, Lumma’s stealer logs can be found all over the dark web, accessible for malicious use even by the most inexperienced of actors. 

On May 21, 2025, in a coordinated international effort led by Microsoft’s Digital Crimes Unit in collaboration with the U.S. Department of Justice, Europol, Japan’s Cybercrime Control Center, and cybersecurity companies like Cloudflare, the infrastructure of the notorious LummaC2 malware was successfully dismantled. 

Over 2,300 domains and the command-and-control servers were seized, marking a significant victory against the infostealer responsible for the theft of sensitive data from millions of computers over the years (Wired).  

In this article, we will track the conversation around the takedown of Lumma on the dark web, the way users reacted before and after the official announcement, and how the takedown has affected the dark web landscape. 

May 13th, 2025 – Microsoft file for action

According to Microsoft themselves, their Digital Crimes Unit (DCU) filed for legal action against approximately 2,300 malicious domains related to Lumma. Simultaneously, fellow organizations seized the command structure, marketplace, and locally based infrastructure, fundamentally shutting down the Lumma infrastructure.

May 15th, 2025 – Users begin to report technical issues

A few days after the domains were seized, but before the operation had been disclosed, users began to report issues regarding access to the market and control panel. Lumma users shared their thoughts on the official Lumma threads on dark web forums such as XSS and Exploit.

These issues validated the new rumor about the authorities seizing the Lumma servers. This certainly got users talking and worrying. It is important to note that the Lumma admin, an actor by the name of ‘Shamel’, still posted a regular ‘developer’s update’ on the official XSS Lumma thread on May 19th, 2025, without addressing the concerns of the troubled users.

May 21st, 2025 – The initial aftermath

The immediate response to the Lumma takedown, which was publicly announced on the 21st of May, varied between users. A portion of the dark web forums community appeared unsurprised by the news, some even expressed a sense of resignation, writing posts such as “one of the best infostealers on the market”. For the threat actors, Lumma’s takedown marked the end of an era, but not necessarily a cause for panic. Many assumed a new tool would fill the void left by Lumma and discussed what it could be.

Of course, some users seemed concerned that they would be the next targets. The organizations responsible for the takedown stated they were going after customers of Lumma. New threads were opened specifically to warn Lumma users of possible prosecution.

May 23rd, 2025 – Official Lumma statement and client backlash

The first official response from ‘Shamel’ came on the 23rd of May, on the official XSS thread. In his statement, he aimed to clarify the situation, and while the actor did acknowledge the seized domains, he rejected the FBI’s claims of taking down the main Lumma servers. ‘Shamel’ also stated that the FBI created a phishing campaign inside the original domains which would collect computer IPs and even webcam images of anyone trying to use Lumma. This personal information could be used later to hunt down operators of the malware. Finally, ‘Shamel’ claimed that access to the server was back, and promised future statements. 

Shamel’s statement did not seem to improve the customer’s reception of the situation. Many users began to express their discontent with the late response given by ‘Shamel’, the fact that there was no update sent to Lumma users to ensure their safety, and the sheer amount of data lost due to the incident. 

The main effect seems to be on the client’s trust in the admin and the malware. Lumma used to have a pristine reputation which was now shattered, forcing users to find alternative solutions. This user migration will directly influence the popularity and distribution of other existing or new infostealers on the dark web landscape. 

How does this affect distributed logs and cybersecurity teams?

While it might be too soon to dictate if Lumma is gone for good, as things on the dark web rarely are, we can already see the effect of the takedown on user experience. This is also directly reflected in the amount of stealer log files distributed on the dark web and Telegram channels.

When using Lunar, our dark web monitoring platform to look at data from the popular data store Russian Market where Lumma is traditionally sold, we can see a significant decrease in the amount of Lumma stealer logs sold since the 13th of May, when Microsoft first seized the Lumma domains. 

The takedown of Lumma marks a significant moment in the ongoing fight against malware-as-a-service operations. While the operation led by Microsoft and international law enforcement successfully disrupted the infrastructure behind one of the most prominent infostealers on the dark web, the situation continues to unfold and is far from over. 

Our research revealed serious cracks in Lumma’s image as the ultimate stealer, as customers lost their trust and sought out alternative solutions. We theorize that in the coming weeks, new and old infostealers will increase in popularity as users migrate from using Lumma. This means that the infostealer threat is still very relevant and must be monitored accordingly. The best way to stay ahead of the emergence and takedown of infostealers on the dark web, as well as monitor compromised credentials and stealer logs, is through dark web monitoring platforms like Lunar. 

Lunar allows you to set up alerts for specific queries, like setting up a query for new chatter regarding Lumma’s reputation, or set up events that automatically track the leaks and stealers regarding your company’s exposed assets.

Talk to our cyber expert to learn more.