How a global malware operation was taken down from a federal court in Georgia

The messages seemed innocuous, mundane even. Someone posing as a prospective guest emailed a hotel questions about a purported comment left on Booking.com. Another message was supposedly from that third-party booking site to review negative guest feedback.

But they were all fake. The emails were phishing scams designed to get the recipient to download malicious software to their computer that could steal financial information and credentials.

Now, a tech giant and governments around the world are dismantling a constellation of malware called Lumma Stealer that authorities say is behind that cyberattack. Lumma’s digital infrastructure is being taken down by an international operation between Microsoft, the U.S. Justice Department, Europol and Japan’s Cybercrime Control Center, according to statements from Microsoft and documents unsealed Wednesday in federal court in Atlanta.

Lumma is “one of the most renowned info-stealer malwares in existence,” Steven Masada, assistant general counsel and director of the Digital Crimes Unit at Microsoft, told The Atlanta Journal-Constitution. In 2024, Lumma infected 1.8 million hosts or devices, according to a report by cybersecurity company Flashpoint.

It is a type of malicious software sold through the dark web to people who want to steal passwords, credit card numbers, bank account information and cryptocurrency wallets. Lumma has enabled cybercriminals to infiltrate industries like transportation, finance and health care, hold schools for ransom and empty bank accounts, according to Microsoft.

Lumma has been around since 2022 and is part of the rise of cybercrime as a service industry, according to Masada.

It operates a bit like other software businesses, offering clients monthly or annual subscriptions at different pricing tiers depending on how much personalization and control they want of the software. It has been used by hundreds of cybercriminal groups and nation-state-affiliated groups worldwide, Masada said.

But instead of giving someone a word processor or the ability to edit PDFs, Lumma is used for nefarious purposes, like the cyberattack impersonating Booking.com, a major example of the breadth and depth of the malware.

“Cybercriminals are out there marketing and selling their services to other cybercriminals in order to effectively scale operations,” Masada said. He called Lumma a link in the cybercrime supply chain.

Between March and May, Microsoft identified more than 394,000 Windows computers across the world that had been infected by Lumma malware. At least 532 computers were infected in Georgia, according to court documents. Atlanta was one of the U.S. cities most affected by Lumma.

Microsoft filed a federal civil lawsuit against Lumma on May 13 in Atlanta because of the high volume of victims in the region, including Booking.com, which has a large presence in the area. Booking.com did not immediately respond to a request for comment.

Microsoft worked with other cybersecurity companies and law enforcement to share intelligence and work on dismantling different parts of Lumma’s sprawling network.

Last week, Microsoft received under seal a court order allowing it to start taking down, suspending and blocking about 2,300 domains that were part of Lumma’s infrastructure.

The Justice Department disrupted Lumma’s marketplace and seized its central command structure. Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center suspended Lumma infrastructure in their jurisdictions.

Microsoft will be redirecting the domains it has taken over into a cloud monitored by the tech giant to build intelligence and potentially identify more infected devices, Masada said.

But despite this coordinated operation, the identities of the people behind Lumma remain a mystery. All Microsoft officials say they have been able to piece together is that the primary developer is someone based in Russia who goes by the alias “Shamel” and that there are other people involved in the malware.

Microsoft received a temporary restraining order against 10 unidentified plaintiffs that include Shamel, other people allegedly supporting Lumma’s infrastructure and clients of the malware.

But whoever is behind Lumma, Masada said he knows they will try to adapt and rebuild their infrastructure. The tech giant is hoping to eventually get an appointed court monitor to quickly give Microsoft the authority to seize new domains that may be spun up by malicious actors.

2025 The Atlanta Journal-Constitution. Distributed by Tribune Content Agency, LLC.