In a major global cybersecurity operation, Cloudflare’s threat intelligence team, Cloudforce One, joined forces with Microsoft and international law enforcement agencies including the FBI and DOJ to dismantle the core infrastructure of LummaC2, the most widespread infostealer on the internet.
Known for enabling large-scale theft of sensitive personal and enterprise data, Lumma Stealer has long posed a significant risk to users worldwide, facilitating identity theft, financial fraud, and other downstream cyberattacks. This operation marks one of the largest disruptions of an infostealer-as-a-service platform to date.
As part of the takedown, Cloudflare deployed a Turnstile-enabled interstitial warning page on the command-and-control and marketplace domains associated with Lumma. In addition, it suspended and blocked accounts used to configure the malicious domains and worked with registries to ensure the criminals couldn’t recover them simply by changing name servers.
“This disruption worked to fully set back their operations by days, taking down a significant number of domain names and ultimately blocking their ability to make money by committing cybercrime,” said Blake Darché, Head of Cloudforce One at Cloudflare.
Despite the success, Darché warned that the threat actors behind Lumma are likely to adapt and return. “Like any threat actor, those behind Lumma will shift tactics and reemerge to bring their campaign back online.”
This operation highlights the critical importance of cross-industry collaboration in combating global cybercrime threats.