CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Lumma Stealer Activity Declines Following Doxxing of Core Members

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Lumma Stealer, a prominent information stealer, has seen a significant drop in activity over the past couple of months. This decline follows the doxxing of five alleged core group members, which exposed personal and operational details. The doxxing campaign, believed to be driven by competitors, has led to a sharp decrease in command-and-control (C&C) infrastructure activity and disrupted the group's communications. The doxxing included sensitive information such as passport numbers, bank account details, and social media profiles. The group's Telegram account was compromised, preventing effective communication with customers. As a result, cybercriminals have started seeking alternative information stealers like Vidar and StealC. The disruption has also impacted the pay-per-install (PPI) service Amadey, which was used for Lumma Stealer distribution.

Timeline

  1. 20.10.2025 15:42 1 articles · 4h ago

    Doxxing Campaign Leads to Decline in Lumma Stealer Activity

    Over the past couple of months, Lumma Stealer has experienced a significant drop in activity. This decline follows the doxxing of five alleged core group members, which exposed personal and operational details. The doxxing campaign, believed to be driven by competitors, has led to a sharp decrease in command-and-control (C&C) infrastructure activity and disrupted the group's communications. The group's Telegram account was compromised, preventing effective communication with customers. As a result, cybercriminals are transitioning to alternative information stealers like Vidar and StealC, and the disruption has impacted the pay-per-install (PPI) service Amadey.

    Show sources

Information Snippets

  • Lumma Stealer, also known as LummaC2 Stealer or LummaC2, has been active since at least August 2022.

    First reported: 20.10.2025 15:42
    1 source, 1 article
    Show sources
  • The malware was targeted by a law enforcement operation in May 2025 but resumed activity two months later on rebuilt infrastructure.

    First reported: 20.10.2025 15:42
    1 source, 1 article
    Show sources
  • The doxxing campaign exposed personal and operational details of five alleged core members, including the malware’s administrator and developer.

    First reported: 20.10.2025 15:42
    1 source, 1 article
    Show sources
  • The doxxing campaign included sensitive information such as passport numbers, bank account details, and social media profiles.

    First reported: 20.10.2025 15:42
    1 source, 1 article
    Show sources
  • The group's Telegram account was compromised, disrupting communications with customers and leading to a decline in activity.

    First reported: 20.10.2025 15:42
    1 source, 1 article
    Show sources
  • Cybercriminals are transitioning to alternative information stealers like Vidar and StealC.

    First reported: 20.10.2025 15:42
    1 source, 1 article
    Show sources
  • The disruption has also affected the pay-per-install (PPI) service Amadey, which was used for Lumma Stealer distribution.

    First reported: 20.10.2025 15:42
    1 source, 1 article
    Show sources
  • The decline in Lumma Stealer activity may encourage new, stealthier infostealer variants to enter the market.

    First reported: 20.10.2025 15:42
    1 source, 1 article
    Show sources