Lumma Stealer Activity Plummets After Doxxing Campaign Targets Core Operators
A targeted doxxing campaign leaked personal details of five alleged Lumma Stealer operators, causing a sharp decline in malware activity and migration of customers to rival infostealers.
Trend Micro researchers have documented a dramatic decline in Lumma Stealer (tracked as Water Kurita) activity starting in September 2025, coinciding with an aggressive doxxing campaign that exposed the personal details of five alleged core members. The exposure, likely orchestrated by competitors, led to the compromise of the group's Telegram accounts and a significant drop in new malware samples and command-and-control infrastructure.
The doxxing campaign, which ran from late August to early October 2025, published personally identifiable information including passport numbers, bank account details, passwords, and social media profiles of individuals purportedly responsible for administration, development, and other roles within the Lumma Stealer operation. The disclosures were hosted on a website called "Lumma Rats" and included threats and accusations of betrayal, suggesting insider knowledge or access to compromised accounts.
Following the leaks, Lumma Stealer's official Telegram accounts were reportedly stolen on September 17, further disrupting communication with customers and coordination of operations. Trend Micro's telemetry shows a steady decline in both the number of endpoints targeted and new C&C infrastructure sourcing from early September through early October, indicating severe operational setbacks.
As a result, customers of Lumma Stealer's Malware-as-a-Service platform have been migrating to rival infostealers, primarily Vidar and StealC. Related services like Amadey also saw reduced activity. The disruption has intensified competition among malware authors, potentially leading to new innovations and the emergence of new infostealer variants in underground markets.
This incident marks a significant shake-up in one of the most prominent information stealer operations of the year. Unlike previous law enforcement interventions, this disruption originated from internal cybercriminal rivalries and reputational attacks. The exposure of operator identities and infrastructure details, regardless of their accuracy, could have lasting repercussions on Lumma Stealer's viability, customer trust, and the broader underground ecosystem.
The decline in Lumma Stealer activity highlights the fragility of cybercriminal operations when key personnel are exposed. It also underscores the competitive nature of the underground market, where rival groups may resort to doxxing and account compromise to gain an advantage. As customers migrate to alternative stealers, the landscape of infostealer malware is likely to shift, with potential for new variants and increased innovation among malware authors.