The U.S. Department of Justice announced the unsealing of two court-authorized warrants to seize five internet domains used by cybercriminals to operate the LummaC2 malware, an information-stealing service responsible for at least 1.7 million thefts of personal and financial data worldwide.
The domains served as user panels that allowed credentialed cybercriminals to deploy the malware, which targeted login credentials, browser data, autofill information, banking access, and cryptocurrency seed phrases, according to federal affidavits.
“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew R. Galeotti, head of the Justice Department’s Criminal Division. “Today’s announcement demonstrates that the Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets. The Department is also committed to working with and appreciates the efforts of the private sector to safeguard the public from cybercrime.”
On May 19, 2025, the government seized two domains. A day later, LummaC2 administrators informed their users of three new domains created to replace the seized ones. On May 21, those three were also seized.
“This disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from persistent cybersecurity threats,” said Sue J. Bai, head of the DOJ’s National Security Division.
Matthew R. Galeotti, head of the DOJ’s Criminal Division, noted that LummaC2 enabled “fraudulent bank transfers and cryptocurrency theft” by stealing user information at scale.
FBI Cyber Division Assistant Director Bryan Vorndran called LummaC2 the “most popular infostealer service available in online criminal markets” and praised partnerships with the private sector for enabling the seizure of the malware’s infrastructure and access panels.
As part of the broader takedown effort, Microsoft also launched a civil action to disable 2,300 additional domains believed to be used by LummaC2 actors or their proxies.
The case is being handled by the U.S. Attorney’s Office for the Northern District of Texas, the DOJ’s National Security Cyber Section, and the Computer Crime and Intellectual Property Section. The FBI’s Dallas Field Office is leading the investigation.
Visitors to the seized domains now see a notice that the sites have been taken over by the Department of Justice and FBI.
