The U.S. Department of Justice has announced the court-authorized seizure of five internet domains used to operate and distribute LummaC2, a widely deployed information-stealing malware. The action, conducted in coordination with the FBI and supported by private sector partners including Microsoft, is intended to disrupt one of the most popular malware services used by cybercriminals globally.
LummaC2 is a type of “infostealer” malware designed to collect sensitive user information from infected computers. This includes browser-stored credentials, autofill data, email logins, banking access information, and cryptocurrency wallet seed phrases. According to affidavits filed in support of the domain seizures, the FBI has identified over 1.7 million instances in which LummaC2 was used to harvest such data.
Once stolen, this information can be leveraged for further criminal activity, including identity theft, fraudulent financial transactions, and unauthorized access to personal and corporate accounts.
As outlined in court documents, the operators of LummaC2 used the seized websites to give credentialed users (i.e., other cybercriminals and affiliates) access to the malware’s deployment tools. These panels functioned as a central control point, where users could configure attacks, view stolen data, and manage infected systems.
On May 19, 2025, federal agents seized two of these domains. In response, LummaC2 administrators reportedly attempted to regain control of operations by launching three new domains. However, within a day, those additional domains were also seized, cutting off access to the service.
Visitors to the seized domains are now met with a banner indicating that the site has been taken over by the U.S. Department of Justice and the FBI.
The disruption of LummaC2’s infrastructure is part of a growing trend in law enforcement’s approach to cybersecurity threats—combining legal authority, cross-agency coordination, and partnerships with private companies to proactively target the digital infrastructure that supports cybercrime.
“Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country,” said Sue J. Bai of the Justice Department’s National Security Division.
Microsoft, operating in parallel, initiated an independent civil action to dismantle a broader network of over 2,300 domains believed to be connected to LummaC2 actors or their associates. These actions highlight the importance of public-private collaboration in identifying and neutralizing evolving cyber threats.
According to the Justice Department, these domain seizures form part of a broader effort to prevent the theft of personal information and reduce the ability of cybercriminals to operate anonymously online.
While this operation has severely weakened LummaC2’s functionality, authorities stress the importance of continued vigilance and collaboration to mitigate cyber threats. The case also reinforces the need for individuals and organizations to maintain strong cybersecurity hygiene such as using multi-factor authentication, updating software regularly, and avoiding suspicious links or downloads.