Lumma infostealer infected about 10 million systems before global disruption
LummaC2 infected around 10 million devices and systems, allowing for millions of follow-on attacks, before the information-stealing malware operation was dismantled through a coordinated global operation this week, Brett Leatherman, the FBI’s deputy assistant director for cyber operations, said during a media briefing Wednesday.
“Since its inception in 2022, LummaC2’s malware-as-a-service platform rose to become the most prolific information stealer for sale in online criminal markets and used by cybercriminals to conduct attacks against millions of innocent victims,” Leatherman said.
The FBI has identified at least 1.7 million instances where LummaC2 was used to steal usernames, passwords, browser extensions, remote connections, system information, cryptocurrency wallets and seed phrases, and data autofill information, including stored credit cards.
The number of victims linked to LummaC2 increased exponentially and so quickly over the past couple years that officials are still digging through evidence to find and attribute more attacks to the infostealer outfit. The FBI estimates the malware platform facilitated $36.5 million in credit card theft alone in 2023.
LummaC2, also known as Lumma Stealer, targeted individuals and businesses, including Fortune 500 companies, according to Leatherman. Known victims include airlines, universities, banks, insurance providers, hospitals, state governments and internet service providers.
Authorities and cybersecurity firms that aided in the investigation and takedown of LummaC2’s core infrastructure said the infostealer malware infected systems via social engineering, fake or spoofed software, phishing emails, fraudulent links and fake CAPTCHA deliveries.
The Cybersecurity and Infrastructure Security Agency released technical details about how LummaC2 malware infects systems and the operations it conducts to steal data. The malware enabled cybercriminals to bypass endpoint detection and response (EDR) tools and antivirus programs that are designed to track and alert users to phishing attempts or drive-by downloads, the agency said.
Researchers at Cloudflare, one of the security firms that assisted the Justice Department, said Lumma’s operators collected stolen credentials as logs, which were then indexed for sale on a marketplace where criminals could search for and buy potentially lucrative credentials.
Scores of companies — ESET, Microsoft, Bitsight, Lumen, CleanDNS and GMO Registry — that helped seize and dismantle Lumma’s domains, central command and control and marketplaces where the malware was sold to other cybercriminals lauded the far-reaching success of the disruption operation.
Yet, despite the U.S. government’s quick seizure Wednesday of three new domains LummaC2 administrators set up to host the user panel the day prior, concerns lingers about the cybercriminal group’s ability to regroup and continue operations.
“When we conduct these technical operations, they’re not always permanent,” Leatherman said.
“We may not eradicate the threat. That’s yet to be seen in any technical operation, but any period of downtime to the actors brings relief to victims, and that’s what we’re looking to do here,” he added.
There’s no guarantee Lumma’s operators won’t reconstitute, but coordinated disruption efforts will continue to target and hinder the group’s technical operation, including its access, capacity and capability to impact more victims, Leatherman said.
“This is part of a greater law enforcement investigation into the group, and we hope that this will also fracture trust within the ecosystem itself,” he said. “There’s a financial cost to them being down, but there’s also a reputational cost as well, and we think that everybody operating in this environment should understand that.”
