LummaC2 Malware Network Wiped Out in Global Takedown Raid

Crypto News Regulation

LummaC2 Malware Network Wiped Out in Global Takedown Operation

Written by Aaron S.,

Editor-In-Chief

Last Updated: May 22, 2025

Key Takeaways

A global team led by the DOJ, Microsoft, Europol, and other cybersecurity firms shut down websites used by LummaC2 malware;
LummaC2 infected over 394,000 Windows devices and was linked to stolen crypto and bank data;
The malware, promoted by a Russian developer, was sold with tools to customize and track attacks.

Stop overpaying - start transferring money with Ogvio. Sign up, invite friends & grab Rewards now! 🎁

LummaC2 Malware Network Wiped Out in Global Takedown Operation

BITDEGREE IN YOUR SOCIAL FEED

Cybersecurity teams and government officials have taken down the main online tools behind LummaC2, a malware used to steal sensitive information like crypto wallet seed phrases and login details, according to a May 21 announcement from the US Department of Justice (DOJ).

The operation involved agencies from several countries, including the DOJ, Europol, Japan’s Cybercrime Control Center, and support from Microsoft and private security companies.

The first takedown happened on May 19, when the two main LummaC2 websites were removed. The group behind LummaC2 tried to register three new websites, but those were shut down the following day.

What is a Bitcoin Faucet? Pros & Cons Explained (With Animations)

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

According to the DOJ, LummaC2 is designed to collect passwords and other private data from victims, which is then used to commit crimes like draining bank accounts and stealing crypto assets. DOJ Criminal Division chief Matthew R. Galeotti stated that malware like LummaC2 supports a wide range of digital fraud.

Meanwhile, on May 21, Microsoft revealed that its systems had recorded over 394,000 LummaC2 infections on Windows computers between March and May 2025. The company also took independent legal action to shut down more than 2,300 domains linked to the malware.

LummaC2 first appeared around 2022 and is controlled by a Russian developer under the name "Shamel". They promote Lumma on Telegram and other forums by offering paid versions that let buyers customize how the malware spreads and what data it collects.

One known attack involved fake emails pretending to be from Booking.com. Victims were tricked into giving up their banking information, which was then used to empty their accounts.

On May 13, the messaging platform Telegram shut down Haowang Guarantee, previously known as Huione Guarantee. What prompted the takedown? Read the full story.