.png){kind=logo}
Cloudflare’s threat intelligence team, Cloudforce One, announced their contribution to a massive disruption operation of LummaC2 - the largest global infostealer. Alongside Microsoft and international law enforcement partners (like the FBI, DOJ and others), Cloudflare took down Lumma Stealer’s core infrastructure: blocking malicious domains, banning accounts used to configure the domains, and targeting the digital marketplaces used to distribute and monetize it.
Lumma Stealer is the most prevalent infostealer, enabling large-scale theft of sensitive data, leaving consumers and enterprises at risk of identity theft, fraud and other downstream attacks. This disruption deals a major blow to the infostealer-as-a-service ecosystem and the cybercriminal networks that rely on it – so what happened?
The operation worked to seize and facilitate the takedown, suspension and blocking of a significant number of malicious domains that formed the backbone of Lumma's infrastructure.
Cloudflare placed a new, Turnstile-enabled interstitial warning page in front of the malicious actors’ command and control server domains and Lumma’s Marketplace domains, as well as taking action against the accounts that were used to configure the domains.
Coordinated with industry partners to takedown Lumma’s domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control.
