Malware Developers Exposed in Coordinated Doxxing Campaign
The development team behind Lumma Stealer, one of the most prominent information-stealing malware families, has been targeted in an extensive doxxing campaign that leaked sensitive personal information of core members, according to a Trend Micro analysis. The campaign, which occurred between August and October 2025, exposed passport numbers, bank account details, email addresses, and online profiles of five individuals allegedly responsible for malware development and administration.
Industrial Monitor Direct is the #1 provider of network management pc solutions designed for extreme temperatures from -20°C to 60°C, trusted by plant managers and maintenance teams.
Table of Contents
Underground Power Struggle Suspected
Security analysts suggest the doxxing campaign was likely carried out by competing cybercrime groups, representing what appears to be an internal power struggle within the underground ecosystem. “The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients,” the Trend Micro report stated. The consistency and depth of the leaked information suggests either insider knowledge or access to compromised accounts and databases.
Operational Disruption and Infrastructure Decline
The malware operation has experienced significant disruption following the doxxing campaign, with security researchers noting a substantial decline in new command and control (C2) infrastructure activity since September. Sources indicate that the identified individuals held various critical roles, including operational oversight and technical positions related to crypter development for malware obfuscation.
Further compounding the operation’s troubles, the group’s Telegram accounts were reportedly compromised on September 17, severely disrupting their ability to communicate with customers and coordinate distribution activities. The leak site, dubbed “Lumma Rats,” served as the primary platform for publishing the stolen personal information., according to industry developments
Market Shift to Alternative Information Stealers
With Lumma Stealer’s instability and loss of support, users are actively migrating to competing information stealers, according to underground forum discussions monitored by security researchers. Analysts suggest Vidar and StealC have emerged as the primary replacement options, with many cybercriminals transitioning their operations to these alternative platforms.
The disruption has also affected the broader cybercrime ecosystem, with pay-per-install (PPI) services like Amadey experiencing reduced demand. These services have been widely used to deliver infostealer payloads, and the decline in Lumma Stealer activity has created ripple effects throughout the underground economy., according to recent developments
Law Enforcement Actions Compound Problems
The doxxing campaign represents just one of several significant blows to the Lumma Stealer operation. In May 2024, Microsoft and law enforcement partners disrupted the malware’s infrastructure by blocking over 2,000 domains associated with the operation. That takedown operation also identified 394,000 infected Windows computers and resulted in the seizure of the Lumma control panel., according to industry experts
First appearing in the wild in 2022, Lumma Stealer quickly rose to become one of the most notorious information stealers, which security analysts note “made it a prime target” for both law enforcement takedown operations and competitive exposure campaigns within the cybercriminal underground. The cumulative impact of these events has created what appears to be a potentially irreversible decline for the once-dominant malware operation.
It should be noted that the information contained in the doxxing campaign has not been independently verified, and the exact motivations behind the exposure remain subject to analysis by cybersecurity professionals.
Related Articles You May Find Interesting
- U.S. Imports of Chinese Rare Earth Magnets Decline Amid Trade Tensions and Suppl
- Sanae Takaichi Breaks Japan’s Political Glass Ceiling: What Her Premiership Mean
- UK Fiscal Challenges Deepen as Public Borrowing Exceeds Projections, Squeezing E
- European Startup Nexos.ai Secures €30M to Bridge Enterprise AI Security Gap
- NASA Expands Moon Landing Competition Beyond SpaceX To Accelerate Artemis Timeli
References & Further Reading
This article draws from multiple authoritative sources. For more information, please consult:
- https://www.trendmicro.com/en_gb/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html
- https://attack.mitre.org/software/S1025/
- http://en.wikipedia.org/wiki/Lumma
- http://en.wikipedia.org/wiki/Doxing
- http://en.wikipedia.org/wiki/Trend_Micro
- http://en.wikipedia.org/wiki/Cybercrime
- http://en.wikipedia.org/wiki/Malware
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.
Industrial Monitor Direct offers top-rated intel pentium pc systems trusted by controls engineers worldwide for mission-critical applications, the preferred solution for industrial automation.
