There has been a flurry of announcements in the past few days about disruption actions and law enforcement operations targeting malware-as-a-service (MaaS) operations. These malware operations have provided cybercriminals with initial access to networks, allowing them to steal credentials, sensitive data, commit fraud, and deploy ransomware.The infrastructure that supports the operations has been seized along with millions in ill-gotten gains. The Department of Justice has also indicted more than a dozen individuals accused of developing, administering, and deploying malware such as DanaBot and QakBot.Lumma Stealer Operation Disrupted———————————First came the announcement of a major disruption to the Lumma Stealer operation. Lumma is an information stealer MaaS operation that has been active since December 2022. Cybercriminals could purchase a subscription to use the malware for between $250 and $1,000 and target Windows and macOS systems.The malware is usually distributed via GitHub comments, malvertising, deepfake nude generator sites, and other channels, and can steal data from web browsers and applications, including browsing histories, passwords, credit card details, and cryptocurrency wallets. After infection, data is collected and transmitted back to the operation’s servers, with campaigns controlled through a control panel.Over two months, from March to May 2025, Microsoft identified 394,000 Windows computers that had been infected with Lumma. Assisted by law enforcement, the connections between the command-and-control servers and the malware were severed, and the control panel was seized, along with the marketplace for the stolen data and the Internet infrastructure supporting the operation, which included approximately 2,300 domains.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a [joint cybersecurity advisory](https://www.ic3.gov/CSA/2025/250521-2.pdf) this week, sharing information on how Lumma Stealer is used to steal sensitive data from organizations.DanaBot Initial Access Malware Disrupted—————————————-A major operation has resulted in the dismantling of the infrastructure supporting the DanaBot MaaS operation. DanaBot is a banking Trojan and botnet malware that is commonly distributed via spam emails. The malware is used to steal credentials, credit card numbers, cryptocurrency files, and hijack infected systems, and more recently, has transitioned into a distributor of other malware families, including ransomware.The malware has also been used to provide direct support for Russia’s military operations in Ukraine, and two sub-botnets have specifically been used for espionage purposes to support the Russian government’s interests. The malware has been used to infect more than 300,000 computers worldwide and has facilitated fraud and ransomware attacks that have caused at least $50 million in damage.The takedown of the DanaBot infrastructure was part of Operation Endgame, an international law enforcement operation coordinated by Europol and Eurojust. Approximately 300 servers were seized, 650 domains were neutralized, and arrest warrants were issued against 20 individuals. Over EUR 3.5 million ($3.97 million) was seized during the action week, bringing the total Operation Endgame seizures up to EUR 21.2 million ($24.04 million).In connection with this action, the U.S. Department of Justice has unsealed an indictment against 16 Russian nationals accused of developing, administering, and operating DanaBot. They include the suspected leader of the operation, Aleksandr Stepanov (aka JimmBee), 39, and Artem Aleksandrovich Kalinkin (aka Onix), 34, both of Novosibirsk, Russia. Stepanov is believed to have worked with other co-conspirators to create and develop Danabot, advertise it on Russian-language criminal forums, and sell subscriptions to use the malware.Kalinkin is accused of working in sales and supporting criminals who paid for subscriptions, and along with co-conspirators, attempted to use the data stolen from victims to fraudulently obtain money from financial institutions. Kalinkin faces a maximum sentence of 72 years in federal prison, while Stepanov faces a maximum jail term of 5 years. Both are at large and believed to be in Russia. Several of the indicted individuals were identified after inadvertently infecting their devices with DanaBot, which stole sensitive data from their computers and stored it on the servers seized in the operation, where it was accessed by law enforcement.Qakbot Botnet Leader Indicted—————————–In conjunction with Operation Endgame, the suspected leader of the QakBot botnet operation has been indicted. Qakbot is a banking trojan and botnet malware that was used to create a network of many thousands of infected devices. The malware serves as a backdoor into infected devices and, since 2019, has been used as a dropper for delivering a range of ransomware variants, including Conti, REvil, MegaCortex, and Black Basta. In exchange for providing initial access to corporate networks, the ransomware groups would pay a cut of any ransom payments they generated. The malware was used to infect more than 700,000 computers worldwide.According to the indictment, Russian national Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, developed Qakbot in 2008, and along with others, further developed the malware and other malware variants. Through QakBot, ransomware was deployed in attacks on businesses, healthcare providers, and others, causing hundreds of millions of dollars in damage. The infrastructure behind the operation was seized in 2023; however, Gallyamov continued to operate, changing tactics and switching to spam bomb attacks.The Department of Justice has filed a forfeiture complaint for the $24 million in digital assets seized from Gallyamov during the operation, plus a further 30 bitcoin and $700,000 in USDT tokens (approximately $4M in total) were seized by the FBI.’The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals,’ said U.S. Attorney Bill Essayli for the Central District of California. ‘The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.’The post [Law Enforcement Disrupts DanaBot -& Lumma Stealer Malware Operations](https://www.hipaajournal.com/law-enforcement-operations-lumma-stealer-danabot/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
LummaStealer
NAICS: 524 – Insurance Carriers And Related Activities
NAICS: 621 – Ambulatory Health Care Services
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 62 – Health Care And Social Assistance
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 522 – Credit Intermediation And Related Activities
Associated Indicators: