Major Doxxing Campaign Targets Lumma Stealer Leadership
In a dramatic turn of events within the cybercrime underworld, the developers and administrators behind Lumma Stealer—one of the most notorious information stealers—have been exposed through a comprehensive doxxing campaign. Between August and October 2025, sensitive personal information of five key individuals allegedly responsible for the malware’s operations was leaked online, revealing passport numbers, bank account details, email addresses, and social media profiles., according to industry reports
Table of Contents
The Fallout: Operational Disruption and Internal Conflict
The exposure campaign has significantly impacted Lumma Stealer’s operations, with security researchers observing a notable decline in new command and control infrastructure and reduced targeting of endpoints since September. According to analysis from Trend Micro, the doxxing appears to have been executed by competing cybercrime groups, suggesting an ongoing power struggle within the digital underground.
The leaked information was published on a website called “Lumma Rats,” accompanied by threats and accusations that the Lumma team had prioritized profits over operational security for their clients. The depth and consistency of the exposed data indicates either insider knowledge or access to compromised accounts and databases, though this information has not been independently verified.
Communication Breakdown and Platform Compromise
The disruption extended to Lumma’s communication channels when their Telegram accounts were reportedly compromised on September 17, 2025. This breach further hampered their ability to coordinate operations and maintain customer relationships. A representative from the group posted on an underground forum acknowledging that their Telegram accounts had been stolen, creating additional operational challenges for the already-reeling cybercrime operation., according to industry experts
Market Shift: Competitors Gain Ground
As Lumma Stealer faces unprecedented operational challenges, users are actively seeking alternative information stealers. Underground forums and Telegram channels are seeing increased discussion about migrating to other platforms, with Vidar and StealC emerging as primary replacement options. The instability and loss of support for Lumma Stealer has created a significant market opportunity for competing malware developers.
The ripple effects extend to pay-per-install services as well. Amadey, a PPI service widely used to deliver infostealer payloads, has experienced reduced demand corresponding with Lumma’s decline in activity. This demonstrates how interconnected the cybercrime ecosystem has become and how disruptions to major players can affect ancillary services.
Historical Context and Law Enforcement Actions
Lumma Stealer first appeared in 2022 and quickly rose to become one of the most prominent information stealers in the cybercrime landscape. Its position at the top made it an inevitable target for both law enforcement and competing criminal groups. In May 2024, Microsoft and law enforcement partners disrupted Lumma’s infrastructure by blocking over 2,000 domains and identifying 394,000 infected Windows computers.
This latest doxxing incident represents another significant blow to the operation, highlighting the volatile nature of cybercrime alliances and the increasing frequency of internal conflicts within these organizations. The exposure of core team members—including those responsible for operational oversight and crypter development for malware obfuscation—suggests that even cybercriminals are not immune to the security breaches they perpetrate against others., as related article
Broader Implications for Cybersecurity
This incident underscores several important trends in the cybersecurity landscape. First, it demonstrates that internal conflicts and competition within cybercrime groups can be as damaging as law enforcement actions. Second, it shows how dependent these operations have become on communication platforms like Telegram, making them vulnerable to account takeovers and communication disruptions.
Security professionals can leverage this situation to better understand the vulnerabilities within cybercrime ecosystems. The techniques and infrastructure associated with information stealers like Lumma are well-documented in resources like MITRE ATT&CK’s database, providing valuable intelligence for defense strategies.
As the cybercrime market continues to evolve, such internal exposures may become more common, potentially providing law enforcement and security researchers with unprecedented insights into these clandestine operations while simultaneously disrupting their activities through internal conflicts and competition.
Related Articles You May Find Interesting
- OurCrowd Founder Transitions to Chairman Role as Platform Expands Global Private
- Maynilad Defies Market Gloom With Philippines’ Largest IPO in Three Years
- Sanae Takaichi Breaks Political Glass Ceiling as Japan’s First Female Premier
- Maynilad Water Services Launches Major IPO Despite Philippine Market Challenges
- U.S. Supply Chain Shivers as China’s Rare Earth Magnet Pipeline Freezes Again
References & Further Reading
This article draws from multiple authoritative sources. For more information, please consult:
- https://www.trendmicro.com/en_gb/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html
- https://attack.mitre.org/software/S1025/
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.
