Bad week for cybercriminals: Global crackdown hits three major malware operations

In one of the most coordinated weeks of global cybercrime enforcement in recent memory, authorities worldwide have dismantled three of the most prolific malware operations, striking blows against the Lumma Stealer, DanaBot, and Qakbot networks. The takedowns signal growing momentum in the fight against Malware-as-a-Service and international cybercriminal infrastructure.

Microsoft, DOJ target Lumma stealer malware

On May 13, Microsoft’s Digital Crimes Unit (DCU), in collaboration with the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center, dismantled the core infrastructure behind Lumma Stealer, a widely used info-stealing malware. Lumma has enabled threat actors to loot bank accounts, compromise cryptocurrency wallets, and extort critical services like schools and hospitals.

Over 2,300 domains were seized or disabled, effectively severing connections to over 394,000 infected Windows machines globally. Many of these domains are now redirected to Microsoft-controlled sinkholes to monitor and prevent further abuse.

Lumma, a Malware-as-a-Service tool, has been a go-to weapon for cybercriminals since 2022 due to its ability to evade detection and mimic trusted brands like Microsoft. “This operation disrupts a key revenue stream for cybercrime and raises the cost of doing business for threat actors,” Microsoft said in a statement.

DanaBot developers unmasked, infrastructure seized

In a separate but equally significant move, the U.S. Department of Justice announced the disruption of DanaBot, a Russia-linked malware operation responsible for over $50 million in fraud and ransomware damages. Sixteen individuals were charged, including two key figures, Aleksandr Stepanov and Artem Kalinkin, believed to be based in Novosibirsk, Russia.

Ironically, several suspects were identified after accidentally infecting their own devices with the malware, exposing personal data stored on DanaBot’s servers. The malware had infected over 300,000 systems and was frequently used to build botnets for financial and espionage purposes.

The operation was part of Operation Endgame, a sweeping international effort to dismantle malware infrastructure. Dozens of DanaBot command-and-control servers were seized, mostly located in the United States.

Qakbot mastermind indicted after years of damage

In a final blow, the U.S. government unsealed charges against Rustam Rafailevich Gallyamov, the alleged mastermind behind Qakbot. This is a long-running malware that has compromised over 700,000 devices and enabled some of the most destructive ransomware campaigns of the past decade.

Qakbot has been active since 2008, evolving from a banking trojan to a key tool for ransomware gangs including Conti, REvil, and Black Basta. Authorities have now seized more than $24 million in digital assets linked to Gallyamov, with additional seizures totaling millions more in recent months.

Despite the FBI dismantling the Qakbot botnet in 2023, Gallyamov allegedly continued operations until as recently as January 2025. His indictment and the asset forfeiture represent the culmination of a long-standing investigation tied to Operation Endgame.

Looking forward

The takedowns mark a pivotal moment in the battle against global cybercrime. As Microsoft and law enforcement agencies emphasize, public-private partnerships and cross-border collaboration were critical to these operations. While cybercriminals will undoubtedly regroup, the past week has shown that the walls are closing in.