{
	"id": "1e423590-4879-49aa-aa31-99fb8de3170e",
	"created_at": "2026-04-06T00:09:26.116156Z",
	"updated_at": "2026-04-10T13:11:36.703421Z",
	"deleted_at": null,
	"sha1_hash": "16ed313feb7972a23826f4499f9fba32fec5547d",
	"title": "Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 546846,
	"plain_text": "Shifts in the Underground: The Impact of Water Kurita’s (Lumma\r\nStealer) Doxxing\r\nBy By: Junestherry Dela Cruz Oct 16, 2025 Read time: 5 min (1254 words)\r\nPublished: 2025-10-16 · Archived: 2026-04-02 11:14:41 UTC\r\nKey Takeaways\r\nA targeted underground exposure campaign leaked sensitive details of alleged core members of Lumma\r\nStealer (tracked by Trend Micro as Water Kurita) , coinciding with a sharp decline in observed activity.\r\nThis exposure, along with the compromise of the threat actor’s Telegram accounts, caused a drop in\r\nLumma Stealer activity for both new sample detections and C\u0026C operations.\r\nCustomers of Lumma Stealer’s operators have been migrating to alternative infostealer Malware-as-a-Service (MaaS) platforms, mainly Vidar and StealC, and related services like Amadey saw reduced activity.\r\nThis downshift in volume sparked aggressive competition among malware authors, possibly leading to new\r\ninnovations and the rise of new infostealer variants in underground markets.\r\nIntroduction\r\nIn September 2025, we noted a striking decline in new command and control infrastructure activity associated\r\nwith Lummastealer (which Trend Micro tracks as Water Kurita), as well as a significant reduction in the number\r\nof endpoints targeted by this notorious malware. This sudden drop appears to align with a targeted underground\r\nexposure campaign that has put the spotlight on individuals allegedly linked to the Lummastealer operation.\r\nAllegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed\r\ncore members, leading to significant changes in Lummastealer’s infrastructure and communications.\r\nThis development is pivotal, marking a substantial shake-up in one of the most prominent information stealer\r\nmalware operations of the year. While previous law enforcement interventions have played a critical role in\r\ncombating cybercrime, this situation seems to have originated from internal cybercriminal rivalries and\r\nreputational attacks. The exposure of operator identities and infrastructure details, regardless of their accuracy,\r\ncould have lasting repercussions on Lummastealer’s viability, customer trust, and the broader underground\r\necosystem.\r\nLumma Stealer’s decline\r\nLumma Stealer’s growth and wide adoption was due to its efficiency, support, and frequent updates. However, its\r\ndominance in the underground market made it a key target for international law enforcement, culminating in a\r\ncoordinated takedown attempt in May 2025. Despite this, Lumma Stealer quickly resurfaced, along with its\r\noperators, restoring infrastructure and reengaging with customers. Beginning in June, activity levels remained\r\nhigh, with fresh samples continuing to appear in the wild, indicating both operator resilience and strong demand\r\nwithin the cybercrime ecosystem.\r\nhttps://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html\r\nPage 1 of 7\n\nHowever, this period of stability was disrupted in September 2025, when we began to observe a steady decline in\r\nboth sample detections and C\u0026C activity. This drop coincided with an aggressive underground exposure campaign\r\ntargeting the individuals allegedly behind Lumma Stealer, resulting in significant operational setbacks for the\r\nmalware’s operators.\r\nFigure 1. Lumma Stealer’s downward trend in the number of targeted endpoints (top) and network\r\ninfrastructure sourcing activity (bottom) from early September to early October 2025.\r\nTimeline\r\n The following sequence of events outlines the unraveling of Lumma Stealer’s operations during late 2025, based\r\non public sources and internal telemetry:\r\nEarly September, 2025: Trend telemetry began to register a steady decline in Lumma Stealer sample\r\ndetections and C\u0026C activity.\r\nSeptember 17, 2025: Lumma Stealer’s official Telegram accounts were reportedly compromised or stolen.\r\nLate August to October 2025: A doxxing campaign published extensive personal and operational details of\r\nfive individuals allegedly connected to the Lumma Stealer operation.\r\nhttps://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html\r\nPage 2 of 7\n\nFigure 2. A representative of Water Kurita/Lumma Stealer posting in an underground forum\r\nregarding their Telegram accounts being stolen\r\nIncident details\r\nThe decline in Lumma Stealer activity coincides with an aggressive underground exposure campaign targeting\r\nindividuals allegedly affiliated with the malware’s development and administration. The campaign, which began\r\nin late August and continued through early October, systematically released personally identifiable information\r\n(PII), financial records, passwords, and social media profiles of five purported Lumma Stealer operators, which\r\nwere shown in a website called \"Lumma Rats\".\r\nBased on the disclosed information, these were the roles of these individuals:\r\n1. Administration/management: Responsible for operational oversight.\r\n2. Development/technical: Focused on crypter development for malware obfuscation.\r\n3. Unknown roles: Three additional members whose specific functions were not disclosed but were\r\nsignificant enough to warrant extensive doxxing.\r\nhttps://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html\r\nPage 3 of 7\n\nFigure 3. Alleged Lumma Stealer threat actors were doxed in a website called \"Lumma Rats\"\r\nThe disclosures included highly sensitive details such as passport numbers, bank account information, email\r\naddresses, and links to various online profiles. The exposure campaign was accompanied by threats, accusations\r\nof betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit\r\nover the operational security of their clients. The campaign’s consistency and depth suggest insider knowledge or\r\naccess to compromised accounts and databases.\r\nhttps://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html\r\nPage 4 of 7\n\nFollowing these disclosures, Lumma Stealer’s Telegram accounts were reportedly compromised on September 17,\r\nfurther disrupting their ability to communicate with customers and coordinate operations. This has led to the\r\npreviously mentioned reduction in new Lumma Stealer samples and observable C\u0026C infrastructure, indicating\r\nthat the operation has been severely affected—whether through loss of key personnel, erosion of trust, or fear of\r\nfurther exposure.\r\nIt is important to note that the accuracy of the doxed information and the actual involvement of the named\r\nindividuals have not been independently verified. The campaign may also be motivated by personal or competitive\r\ngrudges, and attribution should be treated with caution.\r\nResponse in the underground ecosystem\r\nThe attempt by unknown threat actors to undermine the operation of Lumma Stealer has triggered notable shifts in\r\nthe underground malware-as-a-service (MaaS) landscape.  Customers who previously relied on Lumma Stealer\r\nhave been observed actively discussing alternative information stealer solutions on forums and Telegram channels.\r\nVidar and StealCnews article have emerged as the primary replacement options, with many users reporting\r\nmigrations to these platforms due to Lumma Stealer’s instability and loss of support.\r\nFigure 4. Vidar’s upward trend in file sourcing activity since September (based on Trend telemetry\r\ndata from September 13 to October 9, 2025)\r\nThis transition is also affecting the broader ecosystem, including pay-per-install (PPI) services such as Amadey,\r\nwhich have been widely used to deliver infostealer payloads. As Lumma Stealer’s volume has decreased, Amadey\r\nhas experienced a parallel drop in activity, suggesting reduced demand for its services in connection with\r\ninfostealer distribution.\r\nhttps://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html\r\nPage 5 of 7\n\nFigure 5. Amadey’s downward trend in file sourcing activity suggests a reduced demand in services\r\ndue to the decline in infostealer distribution (based on Trend telemetry data from September 13 to\r\nOctober 6, 2025)\r\nMeanwhile, other malware authors are capitalizing on the situation by aggressively marketing their own\r\nalternative offerings, with the goal of attracting former Lumma Stealer customers. This opportunistic promotion is\r\nfueling rapid innovation and intensifying competition among MaaS providers, raising the likelihood of new,\r\nstealthier infostealer variants entering the market.\r\nFigure 6. New infostealer ad comparing its services to Lumma Stealer and pointing out its flaws\r\nConclusion\r\nhttps://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html\r\nPage 6 of 7\n\nThe recent decline in Lumma Stealer activity demonstrates the volatile nature of the cybercriminal ecosystem,\r\nwhere even the most dominant malware families are vulnerable to both external law enforcement pressure and\r\ninternal rivalries. As Lumma Stealer’s position at the top made it a prime target for takedown operations and\r\nunderground exposure campaigns, its disruption has prompted shifts in the threat landscape, with competitors\r\neager to fill the void and attract former customers. This situation illustrates an important point: in the world of\r\ninfostealers (and in the cybercriminal underground in general), being number one means facing scrutiny and\r\nattacks from both defenders and competitors alike.\r\nRecommendations\r\nGiven the rapid migration away from Lumma Stealer, defenders should closely monitor the following:\r\nOld MaaS like Vidar and StealC: Continue monitoring for new campaigns, infrastructure, and samples\r\nassociated with these increasingly popular alternatives.\r\nEmerging MaaS Platforms: Track newly promoted infostealers and pay attention to underground\r\ndiscourse indicating shifts in customer preference.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html\r\nhttps://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/j/the-impact-of-water-kurita-lumma-stealer-doxxing.html"
	],
	"report_names": [
		"the-impact-of-water-kurita-lumma-stealer-doxxing.html"
	],
	"threat_actors": [
		{
			"id": "5be99bea-0f77-492b-be61-e7cc225bbff4",
			"created_at": "2026-03-08T02:00:03.473966Z",
			"updated_at": "2026-04-10T02:00:03.983164Z",
			"deleted_at": null,
			"main_name": "Water Kurita",
			"aliases": [],
			"source_name": "MISPGALAXY:Water Kurita",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434166,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16ed313feb7972a23826f4499f9fba32fec5547d.pdf",
		"text": "https://archive.orkl.eu/16ed313feb7972a23826f4499f9fba32fec5547d.txt",
		"img": "https://archive.orkl.eu/16ed313feb7972a23826f4499f9fba32fec5547d.jpg"
	}
}