The operations of the prominent infostealer known as Lumma Stealer, or LummaC2, have been significantly disrupted. The cybercriminals behind the malware lost access to their command-and-control (C2) servers, bringing a halt to their malicious activities. The disruption was not the result of a law enforcement takedown but rather a procedural failure with a domain registrar.

Domain Registrar Enforces ‘Server Hold’

The service interruption began when the malware’s domain registrar, Reg.ru, placed the C2 domains under a ‘server hold’ status. This action was reportedly taken because the Lumma Stealer operators failed to provide the necessary Know Your Customer (KYC) documentation requested by the registrar. The ‘server hold’ effectively took the C2 infrastructure offline. This prevented the malware’s affiliates from accessing their control panels, building new malware samples, and receiving the stolen data exfiltrated from victims’ devices.

Operator Response and Service Impact

Following the disruption, the Lumma Stealer operators used their official Telegram channel to communicate with their customers and affiliates. They confirmed the loss of control over their domains and stated they were actively working to restore the infrastructure. The group also promised to provide compensation to their affiliates for the operational downtime. The incident and the operators’ communications were observed and reported by cybersecurity threat intelligence firm KELA. Lumma Stealer operates as a Malware-as-a-Service (MaaS) and is known for its capabilities in stealing sensitive information, including credentials, browser extension data, and cryptocurrency wallet details.