US authorities seize domains linked to LummaC2 malware used to steal crypto and banking credentials

The U.S. Justice Department announced Wednesday that it has seized five internet domains linked to LummaC2, a malware tool cyber actors use to steal valuable information from millions worldwide.

The DOJ said in the Wednesday release that LummaC2 administrators used the seized domains to distribute malware, which stole browser data, autofill information, login credentials for banking services and crypto wallet seed phrases.

The FBI has discovered at least 1.7 million instances of information theft using the malware, the release added. 

LummaC2 malware can infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors.

“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew R. Galeotti, head of the DOJ's criminal division.

Authorities seized two domains on May 19, 2025. When LummaC2 operators responded by spinning up three new domains on May 20, the government swiftly seized them the following day. Visitors to these sites now encounter a DOJ notice signaling the domains’ seizure.

The coordinated crackdown involved a public-private coordination among the DOJ, FBI, Europol, Japan's Cybercrime Control Center and Microsoft. 

In a parallel move, Microsoft announced its independent civil action to disrupt 2,300 domains allegedly used by LummaC2 actors and their proxies.

"Disrupting the tools cybercriminals frequently use can create a significant and lasting impact on cybercrime, as rebuilding malicious infrastructure and sourcing new exploit tools takes time and costs money," Microsoft said in its blog post.