Do Son 
Following the resounding announcement by Microsoft and the FBI regarding the complete dismantling of the Lumma Stealer malware infrastructure, it appeared the saga had come to an end. Yet the events that unfolded in the wake of the operation painted a starkly different picture—the buried infostealer resurrected itself mere hours after the official takedown.
On May 21, 2025, Microsoft’s Digital Crimes Unit, in collaboration with the FBI, Europol, and the U.S. Department of Justice, conducted a sweeping operation, seizing and disabling approximately 2,300 domains linked to Lumma Stealer. Some of these sites were even replaced with official seizure banners, courtesy of the FBI. However, rather than bringing the platform to a halt, the takedown merely spurred a new phase in the evolution of its clandestine infrastructure.
By May 22, it had become evident that Lumma remained operational. The domain lummamarket.com was still live, providing access to the control panel where cybercriminals continued trading stolen data. Search analytics via FOFA confirmed that compromised systems were still communicating with active Lumma Stealer instances.
Despite the partial purge of its infrastructure, Lumma’s developers swiftly reestablished access to new servers. According to WHOIS data, several fresh domains—including writintrvh.top, fedor-dostoevskiy.com, and yuriy-andropov.com—were registered between May 21 and May 23, clearly after the network was declared neutralized.
Moreover, the Lumma Telegram bot, used to facilitate the sale of stolen logs, remained fully functional. On May 22—just one day after the law enforcement action—the bot published a fresh batch of data exfiltrated from 95 infected machines across 41 countries. The leaks included passwords, cookies, and other sensitive information. The highest volume of password thefts originated from the United States (5,486), followed by Brazil (1,558) and Colombia (534). For cookies, Brazil led with 39,124, trailed by the U.S. (33,000) and India (18,359).
The list of countries affected by Lumma Stealer spans dozens of nations, from Germany and Romania to Tanzania and Cambodia. Victims’ IP addresses also surfaced publicly, underscoring the ongoing breadth of the attack.
Lumma’s persistence was further affirmed in a defiant statement on an underground forum, where the operators dismissed the FBI’s efforts and asserted, “We will rebuild regardless.” Their swift adaptation—registering new domains and shifting server infrastructure—demonstrates that for seasoned malware operators, even large-scale takedowns are but temporary hindrances.
Updated Indicators of Compromise (IOCs), collected on May 22, reveal dozens of IP addresses and domains still actively contacted by infected systems. These include 104.21.72.130, 172.67.151.14, lumnew.fun, ancientlum.com, among others.
As long as Lumma Stealer remains active, access to corporate networks via stolen credentials is no longer a matter of breaching defenses—it’s merely a matter of purchasing and logging in. The low subscription cost of Lumma Stealer continues to make it highly attractive to cybercriminals, including ransomware operators and APT groups.
The FBI succeeded in striking a blow—but failed to eliminate the infrastructure entirely. Lumma Stealer is once again alive and operational, and as long as its dissemination mechanisms remain intact, any declaration of victory over the platform is dangerously premature.
Donate