Normally when we write about a malware operation being disrupted, it's because it has been shut down by law enforcement. But in the case of Lumma Stealer, a notorious malware-as-a-service (MaaS) operation used to steal passwords and sensitive data, it appears to have been sabotaged by other cybercriminals.

Lumma Stealer, also known as Water Kurita and Storm-2477, first came to prominence in 2022 and by the end of 2024, had seen a dramatic 369% increase in reports according to research published by anti-virus firm ESET.

Earlier this year, for instance, Microsoft researchers noted how they had often seen Lumma Stealer being deployed by ransomware groups as part of their attacks.

The hard truth was that the malware, available for purchase through hacking forums and Telegram, made it relatively simple for wannabe cyber-criminals to target consumers and businesses, grabbing browser-stored passwords, accessing cryptocurrency wallets, and other sensitive information.

However, as security researchers at Trend Micro explain, Lumma Stealer itself has found itself in the targets of cyber-criminals.

It appears that the people behind Lumma Stealer have been "doxed"; their personal identities have been published online, exposing what claims to be their real names, passport scans, bank account details, and social media profiles.

The information was posted on a website called "Lumma Rats."

One wonders if Lumma Stealer's developers and administrators recognise the irony that their own sensitive information has been leaked, after they have spent years assisting in the theft of innocent people's data.

The impact on Lumma Stealer appears to have been dramatic. Its activity has dropped sharply: its Telegram channels have been compromised, fewer new infections are being detected. Their customers (who are, remember, other cyber-criminals who use their malware) appear to have lost trust in Lumma Stealer and have switched to competing services instead.

Lumma Stealer's reputation amongst cyber-criminals is, frankly, in the gutter. And I don't think anyone in the business of protecting businesses from the threat of cyber-attack will shed a tear for them.

Unfortunately, the fall of one cybercrime operation does not mean that the overall threat has gone away.

Rival malware services are vying for the attention of Lumma Stealer's displaced users. Some have even created webpages comparing their services to Lumma Stealer and describing its flaws.

With alternatives available, it seems likely that some cyber-criminals will view Lumma Stealer's collapse as little more than a short-term inconvenience.

Although this story plays out in the dark corners of the internet, important lessons must be learnt in the real world.

All organisations must recognise that stolen credentials are one of the easiest ways for hackers to break into your systems - meaning that multi-factor authentication and password managers are essential.

Unfortunately, the threat of being hacked will never disappear - it simply changes its appearance. Awareness, agility, and a layered defence are the key to defending your organisation.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.