Major Disruption Hits Lumma Stealer Operations

The operational activity of the prolific information stealer known as Lumma Stealer has experienced a significant and sudden decline. This disruption follows an aggressive underground campaign that targeted the anonymity of the malware’s key operators. The malware, also tracked by security researchers as Water Kurita, has been a persistent threat, but recent events have dealt a considerable blow to its distribution and use in the cybercriminal ecosystem.

The downturn in activity is directly attributed to an exposure campaign dubbed “Lumma Rats,” which commenced in late August 2025. This campaign successfully identified and publicly revealed the identities of five individuals alleged to be core members of the Lumma Stealer group. According to reports, these individuals are directly affiliated with the malware’s development and administration, placing them at the center of the criminal enterprise.

The Impact of the ‘Lumma Rats’ Doxxing Campaign

Since the doxxing campaign began, observers have noted a “sudden drop” in Lumma Stealer’s presence. The public exposure of its leadership appears to have created a direct and immediate impact on the group’s ability to operate effectively. By targeting the individuals behind the malware rather than the infrastructure alone, the “Lumma Rats” campaign successfully undermined the operational security of the cybercriminal group. This event highlights how targeting the human element of a cybercrime operation can lead to its significant disruption, affecting the entire supply chain that relies on the stealer malware for initial access and data theft.