Some InfoStealer operators bundle and sell this stolen data. But more details are the portal for hackers to launch further attacks, giving them the details they need to access online accounts and the network of billion-dollar companies.

"It's clear that the vulnerable are not only rushing for malware," said Patrick Wardle, CEO of Doubleyou, a security company focused on Apple devices. “In many campaigns, they are really the first phase, collecting credentials, access tokens and other strength data and then using it to launch more traditional high-impact attacks such as lateral movement, spy or ransomware.”

According to the FBI and CISA, Luma’s stinky library first appeared on the Russian Language Crime Forum in 2022. Since then, its developers have upgraded their capabilities and released several different versions of the software.

For example, according to security company Trellix, they have been working on integrating AI into malware platforms since 2023. Attackers want to add these features to automate some of the work involved in cleaning up the large amount of raw data collected by InfoStealers, including identifying and separating "bot" accounts that are less valuable to most attackers.

A Lumma administrator told 404Media and last year Wired they encourage experienced hackers and new cybercriminals to use its software. "This has brought us a lot of revenue," the manager said.

Microsoft said the main developers behind Lumma are used by the online handle "Shamel" and are based in Russia.

"Shamel offers different services to Lumma through telegram and other Russian language chat forums," Microsoft's Masada wrote on Wednesday. "Depending on the services purchased by cybercriminals, they can create their own version of malware, add tools to hide and distribute it, and track stolen information through an online portal."

Kela's Kivillevich said that in the days before the split, some cybercriminals began complaining about Lumma's problems on the forum. They even speculate that the malware platform is targeted at law enforcement actions.

“Based on what we’ve seen, there are all kinds of cybercriminals who admit they’re using Lumma, such as actors involved in credit card fraud, initial access sales, cryptocurrency theft and more,” Kivillevich said.

Among other tools, using Lumma stealers found scattered spider hacker teams (attacking Caesars Entertainment, Inter MGM Resorts and other victims). Meanwhile, according to a report by TechCrunch, Lumma malware was allegedly used in the December 2024 construction of education technology company Powerschool, with more than 70 million records stolen.

"We are now seeing vulnerable groups not only develop technically, but also play a more important role in operation," Doubleyou's Wardle said. "Even the actors of the nation-state are developing and deploying them."

While InfoStealer is just a tool that cybercriminals will use, its prevalence may make it easier for cybercriminals to hide their tracks, said Ian Gray, director of analysis and research at security firm Flashpoint. "Even advanced threat actor groups are leveraging weak library logs, or they have the potential to burn complex strategies, techniques and procedures (TTPS)" Gray said.

Lumma is not the first vulnerable group to be targeted by law enforcement. Last October, the Dutch National Police, together with international partners, removed infrastructure related to Redline and Mentastealer malware, as well as an unsealed crime filed by the U.S. Department of Justice against Maxim Rudometov, one of the alleged developers and administrators of Redline InfoStealer.

Despite the international crackdown, InfoStealer has proven too useful and effective for attackers. As Flashpoint's gray says: "Even if the landscape eventually changes due to the development of defense, the growing emphasis of vulnerable groups over the past few years has shown that they are likely to stay here for the foreseeable future. The use of them exploded."