Lumma Stealer activity decline after doxxing and Telegram compromise
Malware Activity
Summary
Hide ▲
Show ▼
The Lumma Stealer malware-as-a-service operation saw a sharp drop in C&C infrastructure activity, disrupting customer communications and slowing infostealer operations. The decline followed exposure of five alleged core members' identities and a reported Telegram account compromise. The operation had rebuilt after a May law-enforcement action and remained active through June to September before the slowdown. The shift pushed cybercriminals toward Vidar, StealC, and Amadey as replacement options.
Related Happenings
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
UAE and Gulf cyberattack surge after Iran conflict escalation
Target Trend
First: 06.05.2026 08:30
Last: 06.05.2026 08:30
Sources 1
About this happening:
Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...
UAE and Gulf cyberattack surge after Iran conflict escalation
Target TrendAbout this happening: Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Interpol-led Operation Synergia III cybercrime takedown
Law Enforcement
First: 13.03.2026 18:15
Last: 13.03.2026 18:15
Sources 1
About this happening:
**Interpol** coordinated **Operation Synergia III**, and the **94 arrests** plus infrastructure seizures materially disrupted a cross-border **phishing** and **ransomware** case n...
Interpol-led Operation Synergia III cybercrime takedown
Law EnforcementAbout this happening: **Interpol** coordinated **Operation Synergia III**, and the **94 arrests** plus infrastructure seizures materially disrupted a cross-border **phishing** and **ransomware** case n...
Europol-coordinated Tycoon2FA takedown
Law Enforcement
First: 04.03.2026 19:01
Last: 04.03.2026 19:01
Sources 1
About this happening:
**Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Europol-coordinated Tycoon2FA takedown
Law EnforcementAbout this happening: **Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Latest development: 23.03.2026 23:52
CrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.
Timeline
-
20.10.2025 15:42 2 articles · 7mo ago
Lumma Stealer slowdown after doxxing and Telegram compromise
Initial DisclosureTrend Micro reported that Lumma Stealer activity had decreased over the past couple of months after the identities of five alleged core members were exposed in an underground doxxing campaign targeting the Lumma Stealer group, also tracked as Water Kurita and Storm-2477. The disclosures published on Lumma Rats included personal, social media, financial, and password data, and the group's Telegram account was reportedly compromised, disrupting customer communications and sharply reducing C&C infrastructure activity. The slowdown followed a May law-enforcement operation and later rebuild on new infrastructure, and it pushed cybercriminals toward Vidar, StealC, and the PPI service Amadey as alternatives.
Show sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42