Lumma Stealer operations have been unravelling and a recent doxxing campaign targeted individuals allegedly affiliated with malware development and administration.
Sensitive details of these core members have been leaked following the doxxing campaign. The attack is suspected to have been carried out by cybercrime competitors, according to a Trend Micro report.
Lumma Stealer is one of the most notorious infostealers and first appeared in the wild in 2022. Its position at the top “made it a prime target” for takedown operations and underground exposure campaigns, noted the Trend Micro’s analysis.
In September, the security firm noted a decline in new command and control (C2) infrastructure activity associated with Lumma Stealer and reduction in the number of endpoints targeted.
Trend Micro said this aligns with a targeted underground exposure campaign that has put the spotlight on five individuals allegedly linked to the Lumma Stealer operation.
The role of those identified included individuals responsible for operational oversight as well as more technical roles associated with crypter development for malware obfuscation. Their information was shared on a website called Lumma Rats.
The information shared included passport numbers, bank account information, email addresses and links to various online profiles.
“The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients. The campaign’s consistency and depth suggest insider knowledge or access to compromised accounts and databases,” the Trend Micro analysis said.
It is noted that this information has not been independently verified.
The doxxing took place between last August and October 2025.
Lumma Stealer distribution has been fueled by the use of Telegram, as part of the supposed doxing there a representative of the group posted on an underground forum that their Telegram accounts had been stolen.
The Telegram accounts were reportedly compromised on September 17, further disrupting their ability to communicate with customers and coordinate operations.
While Lumma Stealer faces significant disruption, its users are now discussing alternative information stealer solutions on forums and Telegram channels.
Trend Micro noted Vidar and StealC have emerged as the primary replacement options, with many users reporting migrations to these platforms due to Lumma Stealer’s instability and loss of support.
Shifts in pay-per-install (PPI) services such as Amadey have also emerged. PPIs have been widely used to deliver infostealer payloads and with the recent Lumma drop in activity, Amadey has also experienced reduced demand.
In May 2024, Microsoft and law enforcement partners disrupted the infrastructure behind Lumma Stealer by blocking over 2000 domains. The operation also identified 394,000 infested Windows computers and seized the Lumma control panel.
