THE RAVEN FILE

By

RakeshKrish

·

Tags:

, , ,

LUMMA STEALER STILL ACTIVE? AFTER FBI CRACKDOWN!

NOTE: This is an Investigation Story primarily focused on a single day, following the crackdown of Lumma Stealer to showcase the activeness of the Lumma Stealer

On May 21, 2025, Microsoft’s Digital Crimes Unit, in collaboration with global law enforcement agencies, including the FBI, Europol, and the U.S. Department of Justice, dismantled the Lumma Stealer malware network.

This time, the FBI with the cooperation of Microsoft had put an end to Lumma Stealer (as they claim) by seizing their public-facing ~2,300 Domains.

It is not surprising that the infamous LUMMA Stealer gets a life back after the FBI Crackdown on +2K Domains of Lumma Stealer just a few hours later!

The FBI defaced the website of Lumma Stealer with the following message:-

Defacement set up by FBI after Lumma Domain Seize

NOTE: The above image was taken from https://lum-market.fun/ which was seized by the FBI

LUMMA STEALER: FINDING INFRA 

There are various ways to find out the active Lumma Stealers via HTTP Fingerprinting, Hashes, etc. 

Following is the output of FOFA Search for Lumma Stealer infection:-

Results displayed for Lumma Stealer on FOFA

Notably, there are domains that are still active like: https://lummamarket.com/login

Lumma Stealer Panel Access

However, the operatives are relatively active underground, without much hindrance from this FBI crackdown.

Lumma Stealer Advertisement

I have used the platform and the following are some of the proofs acquired to gain insight:-

Info about collected data by Lumma Stealer

Here by sharing a few more glimpses to concrete the evidence:-

Collected Data from Serbian Victim

The highlighted text indicates that the Lumma Stealer is very well active and the FBI Operation didn’t disrupt their work. 

LUMMA STEALER IN ACTION POST FBI DISMANTLE

The Telegram Bot Shop of Lumma Stealer is still active. To test the same, I have acquired the following data:-

On this day, 95 machines are victimized by Lumma Stealer across 41 countries (At the time of writing — ATTOW)

Here by sharing the Leaked Data that includes Passwords and Cookies which are displayed by Lumma Stealer on 22nd May 2025, a day after the Lumma Stealer Crackdown by the FBI.

PASSWORDS & COOKIES FOR SALE BY LUMMA

This data was collected from the operational Telegram Shop of Lumma Stealer. 

Lumma Logs advertised on the Telegram Shop

The following are the observations:-

Stolen Passwords with Different Geography

The US is the major victim with Password Count clocked at 5,486; following Brazil with 1558 and Columbia with 534.

Along with Passwords, Lumma Stealer is powerful enough to steal Cookies like other Stealers.

Here is the breakdown of Cookies, affecting various Geography:-

Stolen Cookies with different Geography

In Cookies, Brazil tops the list with 39,124, following the US (with 33K) and India (with 18,359). 

NOTE: The graph contains only the major affected entries, dropping low-infected countries. Below, you may find the complete list.

LUMMA VICTIM COUNTRIES: 22 May 2025
===================================

US
BRAZIL
CAMBODIA
PHILIPPINES
PAKISTAN
SOUTH AFRICA
INDIA
TUNISIA
IRAQ
SERBIA
BOSNIA & HERZEGOVINA
ROMANIA
COSTA RICA
IRAN
VENEZUELA
BANGLADESH
UAE
MALAYSIA
PORTUGAL
BOLIVIA
VIETNAM
GERMANY
CANADA
BRITISH VIRGIN ISLANDS
NEPAL
MOROCCO
INDONESIA
TANZANIA
DOMINIC REPUBLIC
URUGUAY
COLUMBIA
ALGERIA
IVORY COAST
MEXICO
CAMEROON
KENYA
GAMBIA
GABON
HONG KONG
GREAT BRITAIN
THAILAND

Along with countries, I also found the IPs which are infected by the Lumma Stealer:-

VICTIM IPs
==========
212.102.63.152
27.147.200.173
152.59.24.240
49.207.251.40
49.205.84.194
184.22.148.89
180.75.243.149
177.128.89.118
189.183.248.159
102.244.223.70
152.202.4.114
217.199.146.204
102.140.139.126
190.153.127.203
74.125.215.138
179.59.149.103
41.158.38.145
190.183.202.47
86.120.249.29
105.100.57.44
187.19.222.209
152.203.231.173
178.220.185.62
93.216.77.18
41.114.150.181
38.230.172.30
138.186.174.46
200.7.9.13
191.177.178.122
45.179.147.26
167.108.80.227
186.235.253.63
45.181.206.14
201.19.140.50
197.186.7.191
177.200.67.178
101.128.97.164
123.16.56.67
143.105.81.229
187.84.179.59
84.17.49.7
136.158.25.187
122.178.14.202
58.187.178.174
1.53.234.92
14.244.113.206
84.57.174.199
5.181.233.75
69.57.233.181
186.249.31.74
27.34.65.50
105.188.7.8
170.83.14.154
223.178.211.57
41.56.245.33
49.36.67.1
86.96.90.169
115.135.185.251
102.39.252.223
176.79.20.169
131.0.197.70
103.52.135.63
82.76.29.171
49.36.18.0
160.20.202.55
59.153.103.239
190.142.111.7
143.255.254.182
2.147.12.230
64.224.132.9
177.93.0.59
177.70.173.152
86.121.12.23
191.96.227.246
152.58.195.47
182.56.175.244
197.82.218.133
64.224.135.221
177.54.130.86
103.165.167.78
109.175.82.232
213.196.101.99
178.220.185.109
185.185.172.164
200.215.239.54
197.244.53.58
49.37.171.228
41.56.122.47
170.83.154.229
182.189.59.111
49.145.100.125
103.115.172.25
200.176.2.60
192.158.226.20
104.168.34.158

CONCLUSION

As long as the Lumma Infection is in place, the Ransomware Operators or other APT Threat Actors will not stop the purchase as the subscription is dirt cheap to afford anyone. 

This would pave the way for Criminals to the Corporate Environment by just LOGGING IN without BREAKING IN!!!

OFFICIAL UPDATE

Lumma officially came up with the following statement on a Forum regarding the FBI Defacement:-

Translated Version of Lumma Admin Message

On investigating further, we have found more active domains of Lumma Stealer Panel Login Portals out in the wild such as:-

writintrvh.top
fedor-dostoevskiy.com
yuriy-andropov.com

Here is the screenshot of the same:-

Active Lumma Site

While checking the Register Details, we can see that these domains are registered between 21st May and 23rd May 2025; after the FBI Episode. 

WHOIS Record of a fresh Lumma Stealer Panel Domain

This signifies that the Lumma Stealer is not yet busted by FBI and the infection will continue…

IOCs

Here are the IOCs of Lumma Stealer observed for 22nd May 2025. Many more IOCs are observed in the wild, but not including them as they are out of scope for this content:-

IPs
===
45.134.26.107
104.21.72.130
172.67.154.13
172.67.151.14
172.67.194.201
104.21.29.191
104.21.56.233
104.21.73.180
104.21.36.193
172.67.144.114
172.67.196.59

Domains
=======
lummamarket.com
lumnew.fun
lum-market.fun
a.ancientlum.com
b.ancientlum.com
ancientlum.com
perspectiy.cyou
abaftebeetl.biz
stickintial.cyou
mikhail-lermontov.com
blissfttulmoments.top
tripzlux.digital
enetlabq.digital
writintrvh.top
fedor-dostoevskiy.com
yuriy-andropov.com

NOTE: The article is purely an Individual Research that belongs to THE RAVEN FILE and is not subject to be used/published anywhere without the Author’s consent.

Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings! 😉

Responses to “LUMMA STEALER STILL ACTIVE? AFTER FBI CRACKDOWN!”

  1. Lumma Stealer Resurrected: Infostealer Bounces Back Hours After Takedown – Tech News

    […] unfolded in the wake of the operation painted a starkly different picture—the buried infostealer resurrected itself mere hours after the official […]

    Reply
  2. Lumma Infostealer – Down but Not Out? – LabDevs

    […] days after the operation, an automated Telegram bot that sells stolen credentials obtained by Lumma offered 95 logs from 41 countries for sale. As of May 29, the same bot contains 406 logs, showing a steady […]

    Reply
  3. Week 22 – 2025 – This Week In 4n6

    […] The Raven FileLumma Stealer Still Active? After FBI Crackdown! […]

    Reply
  4. Global Law Enforcement Operation Disrupts Lumma Stealer Malware Network – Connextion

    […] operation against cybercrime, international law enforcement pulled together. They took down the Lumma Stealer malware network, responsible for more than 10 million infections globally. LummaC, also […]

    Reply

Leave a Reply to Global Law Enforcement Operation Disrupts Lumma Stealer Malware Network – ConnextionCancel reply

Discover more from THE RAVEN FILE

Subscribe now to keep reading and get access to the full archive.

Continue reading