Lumma Stealer Activity Declines Following Doxxing of Core Members
Summary
Hide ▲
Show ▼
Lumma Stealer, a prominent information stealer, has seen a significant drop in activity over the past couple of months. This decline follows the doxxing of five alleged core group members, which exposed personal and operational details. The doxxing campaign, believed to be driven by competitors, has led to a sharp decrease in command-and-control (C&C) infrastructure activity and disrupted the group's communications. The doxxing included sensitive information such as passport numbers, bank account details, and social media profiles. The group's Telegram account was compromised, preventing effective communication with customers. As a result, cybercriminals have started seeking alternative information stealers like Vidar and StealC. The disruption has also impacted the pay-per-install (PPI) service Amadey, which was used for Lumma Stealer distribution.
Timeline
-
20.10.2025 15:42 1 articles · 4h ago
Doxxing Campaign Leads to Decline in Lumma Stealer Activity
Over the past couple of months, Lumma Stealer has experienced a significant drop in activity. This decline follows the doxxing of five alleged core group members, which exposed personal and operational details. The doxxing campaign, believed to be driven by competitors, has led to a sharp decrease in command-and-control (C&C) infrastructure activity and disrupted the group's communications. The group's Telegram account was compromised, preventing effective communication with customers. As a result, cybercriminals are transitioning to alternative information stealers like Vidar and StealC, and the disruption has impacted the pay-per-install (PPI) service Amadey.
Show sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
Information Snippets
-
Lumma Stealer, also known as LummaC2 Stealer or LummaC2, has been active since at least August 2022.
First reported: 20.10.2025 15:421 source, 1 articleShow sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
-
The malware was targeted by a law enforcement operation in May 2025 but resumed activity two months later on rebuilt infrastructure.
First reported: 20.10.2025 15:421 source, 1 articleShow sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
-
The doxxing campaign exposed personal and operational details of five alleged core members, including the malware’s administrator and developer.
First reported: 20.10.2025 15:421 source, 1 articleShow sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
-
The doxxing campaign included sensitive information such as passport numbers, bank account details, and social media profiles.
First reported: 20.10.2025 15:421 source, 1 articleShow sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
-
The group's Telegram account was compromised, disrupting communications with customers and leading to a decline in activity.
First reported: 20.10.2025 15:421 source, 1 articleShow sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
-
Cybercriminals are transitioning to alternative information stealers like Vidar and StealC.
First reported: 20.10.2025 15:421 source, 1 articleShow sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
-
The disruption has also affected the pay-per-install (PPI) service Amadey, which was used for Lumma Stealer distribution.
First reported: 20.10.2025 15:421 source, 1 articleShow sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42
-
The decline in Lumma Stealer activity may encourage new, stealthier infostealer variants to enter the market.
First reported: 20.10.2025 15:421 source, 1 articleShow sources
- Lumma Stealer Activity Drops After Doxxing — www.securityweek.com — 20.10.2025 15:42