{
	"id": "209838ab-073c-42ae-97b3-988782492598",
	"created_at": "2026-04-06T00:07:39.547257Z",
	"updated_at": "2026-04-10T13:12:40.96741Z",
	"deleted_at": null,
	"sha1_hash": "fba0fff4077d28e10c35e10b35a61a8ea43b2d22",
	"title": "Justice Department Seizes Domains Behind Major Information-Stealing Malware Operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39878,
	"plain_text": "Justice Department Seizes Domains Behind Major Information-Stealing Malware Operation\r\nPublished: 2025-05-21 · Archived: 2026-04-05 21:51:26 UTC\r\nThe Justice Department announced today the unsealing of two warrants authorizing the seizure of five internet\r\ndomains used by malicious cyber actors to operate the LummaC2 information-stealing malware service.\r\n“The Department will continue to use its unique tools, authorities, and partnerships to disrupt malicious cyber\r\noperations and criminal networks,” said Sue J. Bai, head of the Justice Department’s National Security\r\nDivision. “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came\r\ntogether to protect us from the persistent cybersecurity threats targeting our country. We are grateful for their work\r\nand dedication.”\r\n“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of\r\nvictims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said\r\nMatthew R. Galeotti, head of the Justice Department’s Criminal Division. “Today’s announcement demonstrates\r\nthat the Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the\r\ntheft of their personal information and their assets. The Department is also committed to working with and\r\nappreciates the efforts of the private sector to safeguard the public from cybercrime.”\r\n“The FBI is committed to disrupting the key services that cyber criminals rely on,” said Assistant Director Bryan\r\nVorndran of FBI’s Cyber Division. “That’s why, with our partners, we took action against the most popular\r\ninfostealer service available in online criminal markets, which is responsible for millions of attacks against\r\nvictims. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and\r\nseize user panels. Together, we are making it harder, and more painful, for cyber criminals to operate.”\r\nAs alleged in the affidavits filed in support of the government’s seizure warrants, the administrators of LummaC2\r\nused the seized websites to distribute LummaC2, an information-stealing malware, to their affiliates and other\r\ncyber criminals. According to court documents, common targets for cybercriminals using malware like LummaC2\r\ninclude browser data, autofill information, login credentials for accessing email and banking services, as well as\r\ncryptocurrency seed phrases, which permit access to virtual currency wallets. As alleged in the affidavits, the FBI\r\nhas identified at least 1.7 million instances where LummaC2 was used to steal this type of information.\r\nThe government’s affidavit further alleges that the seized domains, also referred to as user panels, served as login\r\npages for the LummaC2 malware, allowing credentialed users and administrators to access and deploy\r\nLummaC2. On May 19, 2025, the government seized two domains. On May 20, 2025, as detailed in court\r\ndocuments, the LummaC2 administrators informed their users of three new domains that they had set up to host\r\nthe user panel. The next day, the government then seized those three domains.\r\nThe seizure of these domains by the government will prevent the owners and cybercriminals from using the\r\nwebsites to access LummaC2 to compromise computers and steal victim information. Individuals who now visit\r\nhttps://www.justice.gov/opa/pr/justice-department-seizes-domains-behind-major-information-stealing-malware-operation\r\nPage 1 of 3\n\nthe websites will see a message indicating that the site has been seized by the Justice Department, including the\r\nFBI.\r\nConcurrent with today’s actions and consistent with the Department’s approach to public-private operational\r\ncoordination, Microsoft announced an independent civil action\r\nto take down 2,300 internet domains also claimed to be used by the LummaC2 actors or their proxies.\r\nFBI’s Dallas Field Office is investigating the case.\r\nThe U.S. Attorney’s Office for the Northern District of Texas, the National Security Division’s National Security\r\nCyber Section, and the Criminal Division’s Computer Crime and Intellectual Property Section are handling the\r\ncase.\r\nThe U.S. Department of State's Rewards for Justice (RFJ) program\r\nhttps://www.justice.gov/opa/pr/justice-department-seizes-domains-behind-major-information-stealing-malware-operation\r\nPage 2 of 3\n\n, which is administered by the Diplomatic Security Service, offers a reward of up to $10 million for information\r\non foreign government-linked individuals participating in certain malicious cyber activities against U.S. critical\r\ninfrastructure in violation of the Computer Fraud and Abuse Act.\r\nAnyone with information on any other foreign government-linked malicious cyber actors or activity targeting U.S.\r\ncritical infrastructure should contact Rewards for Justice via the RFJ Tor-based tip line at:\r\nhe5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required). Learn more about\r\nRewards for Justice and their reward offers at RewardsforJustice.net.\r\nIf you believe you have a compromised computer or device, please visit the FBI’s Internet Crime Complaint\r\nCenter (IC3). You may also contact your local FBI field office directly.\r\nSource: https://www.justice.gov/opa/pr/justice-department-seizes-domains-behind-major-information-stealing-malware-operation\r\nhttps://www.justice.gov/opa/pr/justice-department-seizes-domains-behind-major-information-stealing-malware-operation\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.justice.gov/opa/pr/justice-department-seizes-domains-behind-major-information-stealing-malware-operation"
	],
	"report_names": [
		"justice-department-seizes-domains-behind-major-information-stealing-malware-operation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434059,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fba0fff4077d28e10c35e10b35a61a8ea43b2d22.pdf",
		"text": "https://archive.orkl.eu/fba0fff4077d28e10c35e10b35a61a8ea43b2d22.txt",
		"img": "https://archive.orkl.eu/fba0fff4077d28e10c35e10b35a61a8ea43b2d22.jpg"
	}
}