Lumma Stealer activity decline after doxxing and Telegram compromise
Malware Activity
Summary
Hide ▲
Show ▼
The Lumma Stealer malware-as-a-service operation saw a sharp drop in C&C infrastructure activity, disrupting customer communications and slowing infostealer operations. The decline followed exposure of five alleged core members' identities and a reported Telegram account compromise. The operation had rebuilt after a May law-enforcement action and remained active through June to September before the slowdown. The shift pushed cybercriminals toward Vidar, StealC, and Amadey as replacement options.
Related Happenings
FBI takedown of Outsider Enterprise phishing service
Law Enforcement
H score63
First: 14.06.2026 17:36
Last: 14.06.2026 17:36
Sources 1
About this happening:
The **FBI** and partners **dismantled** **Outsider Enterprise**, a **phishing-as-a-service** operation tied to **thousands of phishing websites** and large-scale credential theft....
FBI takedown of Outsider Enterprise phishing service
Law EnforcementAbout this happening: The **FBI** and partners **dismantled** **Outsider Enterprise**, a **phishing-as-a-service** operation tied to **thousands of phishing websites** and large-scale credential theft....
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
H score21
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
UAE and Gulf cyberattack surge after Iran conflict escalation
Trend
H score29
First: 06.05.2026 08:30
Last: 06.05.2026 08:30
Sources 1
About this happening:
Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...
UAE and Gulf cyberattack surge after Iran conflict escalation
TrendAbout this happening: Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
H score53
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Interpol-led Operation Synergia III cybercrime takedown
Law Enforcement
H score11
First: 13.03.2026 18:15
Last: 13.03.2026 18:15
Sources 1
About this happening:
**Interpol** coordinated **Operation Synergia III**, and the **94 arrests** plus infrastructure seizures materially disrupted a cross-border **phishing** and **ransomware** case n...
Interpol-led Operation Synergia III cybercrime takedown
Law EnforcementAbout this happening: **Interpol** coordinated **Operation Synergia III**, and the **94 arrests** plus infrastructure seizures materially disrupted a cross-border **phishing** and **ransomware** case n...
Timeline
-
20.10.2025 15:42 2 articles · 8mo ago
Lumma Stealer slowdown after doxxing and Telegram compromise
Initial DisclosureTrend Micro reported that Lumma Stealer activity had decreased over the past couple of months after the identities of five alleged core members were exposed in an underground doxxing campaign targeting the Lumma Stealer group, also tracked as Water Kurita and Storm-2477. The disclosures published on Lumma Rats included personal, social media, financial, and password data, and the group's Telegram account was reportedly compromised, disrupting customer communications and sharply reducing C&C infrastructure activity. The slowdown followed a May law-enforcement operation and later rebuild on new infrastructure, and it pushed cybercriminals toward Vidar, StealC, and the PPI service Amadey as alternatives.
Show sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42