"The activity of the Lumma Stealer (aka Water Kurita) information stealer has witnessed a "sudden drop" since last months after the identities of five alleged core group members were exposed as part of what's said to be an aggressive underground exposure campaign dubbed Lumma Rats since late August 2025. The targeted individuals are affiliated with the malware's development and administration, with their personally identifiable information (PII), financial records, passwords, and social media profiles leaked on a dedicated website."
"Since then, Lumma Stealer's Telegram accounts were reportedly compromised on September 17, further hampering their ability to communicate with customers and coordinate operations. These actions have led customers to pivot to other stealers like Vidar and StealC. It's believed the doxxing campaign is driven by internal rivalries. "The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients," Trend Micro said."
Criminals often choose the easiest path into systems: trick users, exploit stale components, or abuse trusted services such as OAuth and package registries. Weak stacks or insecure habits make organizations immediate targets. Lumma Stealer activity dropped after alleged core members were doxxed and extensive PII, financial records, passwords, and social profiles were published. Compromised Telegram accounts further disrupted the malware's customer communications and coordination, prompting users to migrate to alternatives like Vidar and StealC. The exposure appears driven by internal rivalries and included threats and accusations. The campaign's consistency and depth suggest insider knowledge or access to compromised accounts and databases.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]