Executive Summary
Insikt Group delivers a first-of-its-kind analysis of multiple Lumma affiliates operating within a vast, interconnected information-stealing ecosystem. The Lumma infostealer has been around since 2022, and its ecosystem is supported by a broad array of operational enablers, including proxy networks, virtual private networks (VPNs), anti-detect browsers tailored for multi-account management, exploit and crypting services, and detection evasion tools designed to ensure stealth and continuity. The investigation revealed previously undocumented tools and demonstrated that Lumma affiliates frequently operate multiple schemes simultaneously. For instance, one affiliate was identified operating rental scams, while others simultaneously leveraged multiple malware-as-a-service (MaaS) platforms, including Vidar, Stealc, and Meduza Stealer, likely to bolster operational agility, improve success rates, and mitigate the risks linked to detection and law enforcement takedowns. In addition, several Lumma affiliates are tied to distinct threat actor personas across underground forums, reinforcing their deep integration within the broader cybercriminal ecosystem.
In the short term, defenders should adhere to security best practices by monitoring for exfiltration events, deploying detections such as YARA, Sigma, and Snort rules to uncover both current and historical infections, restricting downloads from websites, and potentially using allow-lists. Organizations should train employees to recognize signs of illegitimate downloads, redirects associated with malvertising, and increasingly common techniques like ClickFix attacks. Additionally, defenders should monitor dark web and underground forums for leaked credentials and malware logs. In the long term, defenders must continuously observe the cybercriminal ecosystem to anticipate emerging threats and adapt security policies and practices accordingly.
Looking ahead, Insikt Group anticipates that the MaaS Lumma and its affiliate network will remain active, having long been a frontrunner in the cybercriminal ecosystem due to its technical sophistication, rapid adoption of new techniques, and demonstrated resilience, as evidenced by its ability to reestablish infrastructure within days of a major law enforcement takedown. While the long-term impact of such operations on Lumma’s MaaS affiliate network remains uncertain, there has been no indication of affiliates abandoning the platform or of viable alternatives emerging. Ultimately, Lumma and its affiliates exemplify how modern cybercriminal operations operate as decentralized networks, where even effective disruptions often yield only short-term setbacks. Achieving sustained mitigation will require persistent law enforcement pressure and focused intelligence efforts to monitor and counter the evolving tactics of individual affiliates.
Key Findings
- Insikt Group uncovered previously unreported tools used by Lumma affiliates, including a cracked email credential validation tool circulated on underground forums and a phishing page generator tied to another actor active across multiple forums.
- Lumma affiliates were observed running multiple scams in parallel, some enabled by their use of Lumma, such as using stolen logs for rental fraud. In addition, several affiliates appeared to use multiple infostealers simultaneously, including Vidar, Stealc, and Meduza Stealer, to maximize success rates and mitigate disruptions from detection or law enforcement action.
- Lumma affiliates heavily rely on underground and specialized carding forums as essential operational hubs. They leverage these platforms to recruit collaborators, obtain critical resources such as crypting services and privacy-enhancing services, and efficiently monetize stolen credentials, financial data, and infostealer logs through built-in black markets, fraud tools, and community-backed support networks.
Background
Lumma, sometimes referred to as LummaC2, was the most widespread infostealer in 2024 based on Recorded Future’s malicious infrastructure analysis, and despite facing law enforcement actions in May 2025, it continues to pose a significant threat, actively exfiltrating data from individuals, organizations, and governments. While infostealers like Lumma are now a well-known menace in the cybersecurity landscape, many questions remain: What does a typical day look like for an infostealer affiliate? How do they operate, who are they, what other activities are they involved in, where are they based, and how are the stolen logs ultimately used?
Over the past twelve months (the second half of 2024 through the first half of 2025), Insikt Group has conducted a comprehensive investigation into a broad network of Lumma affiliates operating across multiple countries. Drawing on a wide range of intelligence sources, including two affiliate guidance manuals (see Figure 1), Recorded Future Malware Intelligence, Recorded Future Identity Intelligence malware logs, and other proprietary investigative methods, Insikt Group has uncovered detailed, unique insights into these affiliates' operations and tradecraft.
The findings are presented in two sections: The first examines the affiliates’ technical ecosystems, detailing their use of info-stealing techniques, favored tools and services, and recurring operational behaviors. The second explores how Lumma affiliates are embedded in the broader underground economy. It analyzes their participation in cybercrime forums, use of additional infostealer malware families, and involvement in other types of online fraud and scams.
Threat Analysis
Operational Infrastructure and Tradecraft
Privacy Enhancing Services
Proxy Services
Insikt Group observed multiple Lumma affiliates leveraging various proxy services, detailed in Table 1; Pia Proxy was the most frequently used service. Proxies can be used for legitimate purposes such as privacy and research, but they are frequently exploited by cybercriminals to mask identities, avoid detection, and bypass restrictions. Some services, such as ASocks and the malware-based FACELESS, among others, have been openly marketed on cybercrime forums; ASocks has been linked to fake VPNs that convert Android devices into proxies, while FACELESS leverages malware to hijack IoT devices for the same purpose. Insikt Group evaluated the proxy services by type based on several criteria, including whether they were promoted on cybercriminal forums.
Table 1: Proxy services used by Lumma affiliates (Source: Recorded Future)
Of note, in early 2024, Lumma began collaborating with the GhostSocks team, a residential proxy plugin, enabling affiliates to create SOCKS5 proxies from infected bots, as announced via Lumma’s official channel (see Figure 2) (1, 2). By 2025, Lumma expanded this offering, providing affiliates with backconnect proxy access to compromised machines. This allowed threat actors to conduct attacks that appeared to originate from the victim’s device, significantly improving their ability to bypass access controls such as Google’s cookie-based protections, a mechanism Lumma routinely exploits to refresh expired tokens.
In at least one instance, Insikt Group identified a Lumma affiliate linked to build ID vcs1q5 — and known as “blackowl23” on cybercriminal forums such as Cracked, Nulled, Sinisterly, Eternia, and Cracking during 2022 and 2023 — using IP addresses associated with the Ngioweb botnet. This botnet has been previously linked to the cybercriminal proxy service NSOCKS, as well as others such as VN5Socks and Shopsocks5. The associated IP addresses, likely no longer part of the botnet due to public reporting and other mitigating actions, are listed in Appendix A. Many of the IP addresses had been previously validated by Insikt Group and reported on publicly.
VPN Services
According to research conducted by Insikt Group, all analyzed Lumma affiliates were using VPN services in some capacity, with many using multiple providers. A selection of the VPN services observed in use by these affiliates is presented in Table 2.
Table 2: VPN services used by Lumma affiliates over the past year (Source: Recorded Future)
Anti-Detection and Multi-Account Browsers
Lumma affiliates frequently rely on specialized privacy-focused and anti-detect browsers (see Table 3) to evade identification, bypass security measures, and manage multiple fraudulent accounts simultaneously. These tools allow the threat actors to maintain operational security (OPSEC) by obscuring their true identity, location, and digital fingerprints. Among the most prevalent browsers used by Lumma affiliates is Dolphin, recognized widely as one of the best anti-detect browsers tailored explicitly for managing multiple threat actor-controlled accounts without detection. Dolphin’s capabilities are mirrored by Adspower, Hidemyacc, and Kameleo, which similarly facilitate seamless multi-account operations, thereby enhancing operational efficiency and anonymity. Octo Browser, another prominent tool among cybercriminals, provides advanced fingerprint masking, further complicating efforts by law enforcement and threat intelligence professionals to track threat activities to their source.
The Brave browser, while designed primarily for enhanced user privacy rather than outright anti-detection, appeals to threat actors due to its robust built-in security and privacy features, such as aggressive ad and tracker blocking. Although less explicitly tailored for multi-account management, its privacy-focused approach provides valuable baseline protection for threat actors seeking to maintain anonymity online.
Table 3: Anti-detect browsers for multi-account management used by Lumma affiliates (Source: Recorded Future)
Hosting Providers
While Lumma supplies core C2 infrastructure through its MaaS offering, its affiliates rely on separate hosting providers likely aimed at supporting phishing efforts, payload deployment, and other malicious activity. Many of the hosting providers linked to the analyzed Lumma affiliates appear legitimate, but some stood out for seemingly catering directly to cybercriminals and enabling malicious activity, including AnonRDP, Bulletproof Hosting, and Hostcay, which have been used by the Lumma affiliate linked to the build ID re0gvc.
AnonRDP
AnonRDP (anonrdp[.]com) is a self-proclaimed bulletproof hosting provider specializing in anonymous VPS and RDP services, with a strong focus on privacy and resistance to takedown (see Figure 3). It requires no identity verification and accepts only cryptocurrency payments, such as Bitcoin and Monero, processed through the payment service provider NOWPayments and, allegedly, the cryptocurrency exchange ChangeNOW. Its tolerance of malicious activity is further confirmed by advertisements on deep web forums such as BreachForums, Hack Forums, Nulled, and Patched. As illustrated in Figure 3, the website explicitly acknowledges supporting activities such as hosting, distributing, or controlling botnets, remote access trojans (RATs), phishing, fraudulent content, spam, and more. According to public reports, AnonRDP is operated by Yashvir Keshave, an individual with a known history of involvement in the underground ecosystem, including config (configuration) creation, cracking tools, and digital account trading.
Following the arrest of Yuri Meruzhanovich Bozoyan, co-founder and CEO of Aeza Group LLC, on April 1, 2025, Insikt Group observed that AnonRDP had attempted to poach Aeza customers with 50% discounts. The extent of the poaching’s success remains uncertain.
Bulletproof Hosting
Similarly, Bulletproof Hosting (bulletproofhosting[.]org) markets itself as an offshore, privacy-centric hosting provider that offers anonymous, takedown-resistant infrastructure, accepts cryptocurrency payments, and has no ID requirements (see Figure 4). The website promotes lenient content policies, explicitly permitting adult material, piracy, gambling, and other content typically banned by conventional hosts. It claims to defend against DMCA notices, abuse complaints, and Spamhaus listings, using techniques like FastFlux and hosting in offshore or hardened facilities with minimal regulatory oversight. With 24/7 support managed by self-described “cyber-tech experts,” the platform is positioned as a resilient service catering to users seeking both anonymity and consistent uptime, which are often appealing to threat actors and controversial content operators.
HostCay
HostCay (hostcay[.]com) is a privacy-focused, offshore hosting provider founded in 2023 and operated by Netacel Inc., an international business company (IBC) registered in Seychelles. HostCay specializes in hosting services that prioritize freedom of speech, whistleblower support, and resistance to content takedown requests (see Figure 5). It is known for its support for anonymous crypto payments, no ID requirements, and strong free speech protections.
Lumma affiliates have also been observed leveraging numerous legitimate hosting providers and services, including the file hosting platform MEGA (mega[.]nz), the file and text sharing service Temp[.]sh (temp[.]sh), and the image hosting service ImgBB (imgbb[.]com). They have also made use of various URL shortening services such as shorturl[.]at and free-url-shortener[.]rb[.]gy.
Exploit and Crypting Services
One notable service supporting Lumma operations is run by an actor known as “@cryptexxx.” Rather than being a Lumma affiliate directly, @cryptexxx is the operator of a crypting and exploit service known as Hector (advertised via the domain hector[.]su) that caters to malware distributors, among others (see Figure 6). The HTML content of hector[.]su includes meta keywords — such as crypt, exe, exploits, chrome, bypass, lnk, url, xls, xll, doc, docx, pdf, builder, macro, or popup — indicating a broad toolkit for creating malicious payloads across various file formats (from Office macros to Chrome exploits). Forum discussions corroborate that this service provides fully undetectable (FUD) droppers and document exploits for delivering malware. For example, one hacker forum user explicitly directs others to “see URL exploit on hector[.]su” as a resource for a Gmail-attachable, FUD exploit. Such exploits often take the form of weaponized Office files, like malicious Excel add-in files (.XLL) or macro-laced documents, which can embed the Lumma payload and are designed to slip past email scanners and antivirus protections.
Recent evidence illustrates how these tools are used in practice. In mid-2025, an underground vendor advertised an updated Office exploit that is “up to date, works in 2025 and attachable on Gmail, plus FUD,” explicitly boasting that it can bypass Gmail’s filters. The same offering also highlights a Windows Defender runtime bypass, with an AV scan report showing 0/26 detections. This means a Lumma affiliate could generate a trojanized file (such as an Excel .xll file or a malicious shortcut/URL file) that delivers the stealer while evading both email gateway scanning and endpoint antivirus protections.
By leveraging @cryptexxx’s crypting service and exploit builder, the affiliate essentially outsources the difficult aspects of stealth and delivery. It is a clear example of the cooperative nature of LummaC2 operations: the malware developer provides the infostealer malware, the service operator (@cryptexxx) supplies an obfuscation and exploit toolkit, and the affiliate uses these tools to distribute the payload to victims.
Email-Linked Services and Tools
Insikt Group observed multiple Lumma affiliates using a range of email and spam-related services, including a credential validation tool known as “EMAIL SOFTWARE 1.4.0.9 cracked by Maksim” and a phishing page creation tool known as “DONUSSEF”, both of which have likely been deployed in at least one confirmed case.
EMAIL SOFTWARE 1.4.0.9 cracked by Maksim
EMAIL SOFTWARE 1.4.0.9 cracked by Maksim is a cracked version of a Windows .NET-based email credential verification tool (see Figure 7). It is designed to validate email and password combinations against mail servers using protocols like IMAP and POP3. Users can input large lists of email credentials (often referred to as "combo lists") to check which combinations are valid. The tool also allows users to search for specific keywords within email content. The tool is distributed as a password-protected .rar archive on various hacking and cracking forums (such as DemonForums or XReactor), with users reporting prices of up to $250 on underground marketplaces.
The tool features a user interface with several configuration options, including a status overview of processed email addresses, a control panel to start or stop validation, and proxy management capabilities, among other functionalities (see Figure 8).
Figure 8: Graphical user interface (GUI) of EMAIL SOFTWARE 1.4.0.9 cracked by Maksim
(Source: Recorded Future)
Insikt Group assesses that the Lumma affiliate blackowl23 has used or continues to use the tool to validate stolen credentials, which are then leveraged in the follow-on real estate scam detailed in the section blackowl23’s Involvement in Real Estate Scam, among other scams. Based on identified configurations, it is possible that the affiliate has customized the tool.
DONUSSEF
Insikt Group identified another tool, known as “DONUSSEF”, which was demonstrated in a publicly accessible video hosted on Google Drive at the time of analysis (see Figure 9). Believed to be used by blackowl23, the tool is designed to generate phishing pages via the command line using AI. It prompts the user to input URLs, a subject line, and a brief description of the intended phishing content, and then produces an HTML file as output.
The full range of phishing pages the tool can generate remains unclear, as Insikt Group was unable to independently test it. In the demo, it was shown creating only PayPal phishing pages (see Figure 10). Due to the unavailability of the actual HTML pages, Insikt Group was unable to assess their effectiveness or determine whether they have appeared in any known campaigns.
Through further investigation, Insikt Group identified a YouTube channel likely associated with the suspected creator of DONUSSEF. The actor used the channel to demonstrate at least two additional tools: one marketed as an email sender with a 100% inbox delivery rate, and another for SMS spamming (referred to as “ULTRA-checker.py” in the video). Both videos were uploaded on December 18, 2022, from a device using French-language settings. In one of the demo videos, the actor used and accessed two email accounts, ussefescobar@seznam[.]cz and ussefakkar@outlook[.]com, which are believed to be linked to the actor.
The ULTRA-checker.py tool includes references to two Telegram channels: @donussef and @rdpvendor. At least one of these accounts appears to be active in Telegram communities associated with spam-related tools (see Figure 11). Insikt Group found no additional links between the suspected creator of DONUSSEF and blackowl23.
Other Email Sender and Lead Generation Services
Insikt Group identified several other, often legitimate email-related services used by Lumma affiliates for multiple purposes, including Joz Data (jozdata[.]com), Mailchimp (mailchimp[.]com), Spamir (spamir[.]fr), and Mandrill (mandrillapp[.]com), among others. Joz Data provides validated, segmented email lists for marketing and lead generation. Mailchimp is a legitimate platform for designing and managing email campaigns. Spamir offers tools for bulk email and SMS delivery, often linked to spam or phishing activity despite being presented as a testing toolkit. Mandrill, a paid add-on to Mailchimp, is a transactional email API used to send one-to-one, event-triggered messages such as password resets and order confirmations via SMTP or API.
AVCheck and Alternatives
Like many threat actors deploying malware or related infrastructure, Lumma affiliates actively seek tools to test detection beyond standard sandbox environments. Over the past twelve months, Insikt Group observed multiple affiliates using at least two such services: AVCheck (avcheck[.]net), which was seized by law enforcement in May 2025; and, more recently, KleenScan (kleenscan[.]com). There were also signs that at least one affiliate used avscan[.]net, although its presence and nature could not be confirmed at the time of analysis, as the domain appeared to be listed for sale.
KleenScan is an alternative malware-scanning service frequently used by and marketed to cybercriminals to test malicious files, URLs, and domains against multiple antivirus engines (see Figure 12). It offers a user interface, API, and command-line client, and even a Telegram bot (@kleenscanofficialbot) for uploads and real-time or runtime scans, all while explicitly promising a "No Distribution" policy so that submitted samples will not be shared with antivirus vendors. Although Insikt Group observed Lumma affiliates using KleenScan prior to AVCheck’s seizure in May 2025, public reporting indicates that cybercriminals have increasingly turned to platforms like KleenScan as an alternative due to the seizure. Notably, KleenScan advertises hector[.]su (see Figure 12), an exploit broker further detailed in the section Exploit and Crypting Services.
Phone and SMS Services
Lumma affiliates heavily abuse virtual phone and SMS services (see Table 4) such as OnlineSim, SMS-Activate, and Zadarma. These platforms provide throwaway phone numbers for SMS or voice verification, which the threat actors use to bypass OTP-based security and create fake accounts without using personal identifiers. Lumma affiliates can automatically receive 2FA codes or activation PINs on virtual numbers, allowing them to register malware distribution sites, cloud drives, or messaging accounts without exposing their real phone lines. This identity obfuscation is crucial in the Lumma ecosystem, as it frustrates attribution and takedown efforts by making infrastructure ownership seem transient.
In practice, using these services for OTP bypass and fake account generation helps Lumma crews widen their attack surface. Disposable SMS numbers let attackers circumvent SMS-based two-factor authentication by redirecting one-time passcodes to attacker-controlled inboxes. This means that even if a stolen account is protected by SMS 2FA, Lumma affiliates can try to reroute the OTP to a virtual number they control, effectively nullifying the protection. Services like Zadarma (a VoIP provider) further enable criminals to receive calls or texts on virtual lines, or even perform spoofed voice calls as part of OTP interception bots and vishing schemes. Within the Lumma affiliate program, guides and community chatter encourage the use of these tools for operational security, from registering throwaway email and Telegram accounts to setting up C2 panels or scam payment accounts.
Table 4: Phone and SMS-linked services used by Lumma affiliates (Source: Recorded Future)
Messaging Platforms
Lumma affiliates integrate multiple secure messaging and information-sharing tools into their daily workflows to enhance operational security, maintain anonymity, and minimize digital footprints. Affiliates commonly use uTox, a decentralized peer-to-peer messaging client employing end-to-end encryption via the Tox protocol. This tool facilitates persistent, secure communications, supporting text, voice, and video messaging, and is frequently combined with Tor proxies to conceal affiliate identities and avoid central server dependencies.
Mobile affiliates within the Lumma ecosystem prefer secure XMPP-based Android applications like Xabber and c0nnect[.]pro. Both apps offer encrypted communications via off-the-record encryption, multi-account management, and compatibility with private, controlled XMPP servers, making them ideal for discrete coordination while on the move. Affiliates often configure these applications to run in tandem with Tor proxies, further obfuscating metadata and reducing digital exposure.
For scenarios requiring transmission of ephemeral, sensitive information, such as credentials, passwords, or instructions, Lumma affiliates frequently rely on Privnote, a web-based service that generates encrypted notes that self-destruct after being read once. This capability significantly reduces the affiliate’s potential forensic footprint by leaving no persistent records and enables secure, rapid exchanges of operational details.
Collectively, these tools form a layered communication architecture employed by Lumma affiliates, effectively balancing persistent communications, mobile flexibility, and ephemeral secure exchanges to minimize risks and enhance stealth.
Social Media Optimization
In at least one case, Insikt Group observed a Lumma affiliate leveraging the service Bosslike (bosslike[.]ru), which claims to offer free and rapid boosts for likes on platforms such as Instagram, VK, and TikTok (see Figure 13), likely in support of scam-related activities.
Affiliates’ Embedding in the Cybercriminal Ecosystem
Forum Involvement
Lumma’s affiliate ecosystem thrives on underground forums that act as hubs for collaboration, resources, and marketplaces. Russian-language cybercrime forums like XSS and Exploit serve as launchpads for Lumma’s MaaS, and they are where the stealer was initially advertised and vetted by the community. These forums attract technically adept threat actors and lend credibility to new malware offerings through reputation systems and moderator oversight. Affiliates frequent them not only to obtain Lumma builds but also to engage with trusted escrow and arbitration services, ensuring safer transactions when purchasing tools or settling disputes with partners. The established trust on forums like Exploit and XSS provides a reliable environment for affiliates to do business, from renting servers to resolving conflicts, under the watch of experienced moderators.
At the same time, mass-market cybercrime communities such as LolzTeam (zelenka[.]guru) have become a hotbed for recruiting and training the foot soldiers of Lumma’s operations. These more accessible forums host dedicated sections for “traffers,” threat actors who specialize in spreading infostealer malware, and are actively used to assemble affiliate teams and educate newcomers. On LolzTeam, for example, seasoned criminals advertise infostealer affiliate programs that provide novices with everything needed to start distributing malware. In one case, a team on LolzTeam offered free crypted Lumma builds and even SEO support to new recruits, taking a percentage of profits from stolen cryptocurrency assets. This low barrier to entry, combined with forum-posted tutorials on fraud techniques and operational security, turns platforms like LolzTeam into a workforce pool for infostealer distribution. The forums’ community-driven vetting, including rules against targeting certain regions and public feedback on schemes, further helps affiliates learn effective and “acceptable” tactics. Common fraud methodologies are frequently discussed and popularized on these boards, giving Lumma affiliates insight into monetization tricks and victim manipulation strategies.
Perhaps most critically, these underground forums provide ready-made marketplaces and services that Lumma affiliates leverage to monetize stolen data and optimize their campaigns. Infostealer logs are in high demand, and forums link affiliates to bustling marketplaces where this data is bought and sold. Russian Market (rm1[.]to), for example, is an automated shop accessible via forum circles that has been described as “the Amazon of stolen credentials” for its massive inventory and one-click purchase convenience. By late 2024, Lumma had become the dominant source of credentials on Russian Market, accounting for roughly 92% of stolen log listings, underscoring how extensively Lumma affiliates dump their haul on such platforms for profit. Other venues like LolzTeam’s own marketplace and xleet[.]pw similarly include sections for infostealer logs, compromised accounts, and digital goods, allowing affiliates to quickly sell data from Lumma infections to the highest bidder. Beyond data sales, forum marketplaces connect Lumma affiliates to initial access brokers and financial fraud services that help convert stolen information into cash. Affiliates can find buyers for enterprise login credentials or enlist money laundering and cash-out services advertised across these forums.
Underground forums double as one-stop shops for the technical and operational support that Lumma affiliates need. Dedicated threads run by the Lumma developers or peer community members offer technical assistance, update announcements, and troubleshooting advice in real time. This means an affiliate can turn to forum communities for help with builder configuration, antivirus evasion tips, or to share intelligence on law enforcement takedowns. The forums also host a range of malware-adjacent services crucial to running stealthy campaigns. Providers of bulletproof hosting, VPNs, and traffic distribution congregate on all major forums. The same service providers frequently advertise on multiple sites, which makes it easy for affiliates to obtain resilient servers and web domains to host Lumma malware. Crypting services are equally accessible; for instance, the popular Cassandra crypter and others are promoted in forum marketplaces, enabling affiliates to continuously encrypt and repackage Lumma payloads to evade antivirus detection.
There is a rich ecosystem of offerings, such as exploit kits, fake document templates, spambot rentals, and credential checkers, which affiliates can source from these communities to enhance their operations. Together, these forums provide Lumma affiliates with a comprehensive suite of tools that have been vetted by the community. This practical and operational value is why Lumma’s affiliate network remains deeply embedded in underground forums: they provide not only the means to deploy and hide the malware, but also the mechanisms to cash in on its outputs, all within a semi-structured community that enforces trust among thieves.
Carding Shops
Lumma Stealer affiliates turn to specialized carding shops like b1ackstash[.]cc, stashpatrick[.]io, BriansClub (see Figure 15) (bclub[.]cm and briansclub[.]cm), and binsoficial666[.]activo[.]mx to efficiently monetize the financial data they’ve stolen. Insikt Group notes that these sources vary widely in credibility; shops like BriansClub are considered authoritative within the payment fraud ecosystem, while binsoficial666[.]activo[.]mx has a very poor reputation. Unlike general cybercrime boards, carding websites are dedicated to trading payment data and attract a built-in customer base of fraudsters looking for credit card numbers, bank logins, and personal info. Lumma affiliates capitalize on this demand by selling freshly obtained card records and “fullz” in bulk, often earning a percentage for each sale through the forum’s escrow or shop system. In essence, carding platforms let Lumma affiliates quickly turn stolen card data into profit, with high-volume outlets like BriansClub historically trafficking millions of compromised cards supplied by malware affiliates.
Beyond sales, carding forums offer operational support for fraud that broader hacking forums do not. Lumma affiliates frequent these communities to learn and collaborate on card-not-present (CNP) fraud using stolen card credentials to buy goods or launder money online. The forums host vetted tutorials for abusing e-commerce sites and payment processors, helping thieves bypass anti-fraud measures. Members also advertise criminal services such as providing “drop” addresses (safe delivery points for goods bought with stolen cards) or converting illicit purchases into cash. Additionally, these forums supply validation tools and services critical to fraud operations. Lumma affiliates can purchase or access credit card checkers that automatically test which cards from their stealer logs remain valid and have credit available, ensuring they only spend time on live cards. They might also acquire Bank Identification Number (BIN) lists and other utilities, using the community’s pooled resources to maximize successful transactions. Carding sites enable Lumma affiliates to offload infostealer loot in bulk, complementing sales on broader crime forums. A single Lumma infection yields an expansive log of credentials, cookies, system data, and often multiple financial accounts; parsing and individually selling each asset can be labor-intensive. Carding marketplaces or associated breach data shops let affiliates resell entire stealer logs or specific datasets to other criminals who specialize in exploiting them. For example, high-value logs from Lumma, containing not just cards but bank account passwords or cryptocurrency wallet keys, are often posted on underground markets or offered via automated bot vendors shortly after exfiltration. This practice allows Lumma affiliates to monetize stolen information at scale: they can quickly sell bundles of fresh logs to brokers or fraud rings while focusing their own efforts on new infections. In tandem with general hacking forums, these carding forums provide the ecosystem for cashing out Lumma’s results. They offer a one-stop underground economy where affiliates convert stolen data into money through direct sales of CVVs and “fullz,” the provision of guidance and tools for fraudulent transactions, and the bulk resale of stolen logs. This significantly enhances both the profitability and practicality of Lumma operations.
Use of Additional Infostealers
Insikt Group observed several Lumma affiliates leveraging other infostealers alongside Lumma.
Meduza Stealer, Vidar, and CraxsRAT Used by Likely Mexico-Based Lumma Affiliate
The affiliate linked to Lumma build ID re0gvc, a likely Mexico-based threat actor operating under multiple aliases across various forums, was observed using Meduza Stealer infrastructure tied to IP address 195[.]133[.]18[.]15. Like Lumma, Meduza Stealer is a Windows-based MaaS infostealer, designed to extract credentials, browser data, and crypto wallets while evading detection through anti-analysis and geo-filtering techniques.
Insikt Group also identified high-confidence indicators that the same threat actor used Vidar, a Windows-based infostealer, along with medium-confidence evidence suggesting the use of CraxsRAT, an Android-based RAT, based on Telegram profile images likely tied to the affiliate (see Figure 17). While this indicates this affiliate may have also targeted mobile devices, Insikt Group found no associated samples, infrastructure, or campaigns to confirm this activity.
Stealc Used by Lumma Affiliate suffergrime
Another affiliate linked to Lumma build IDs test222 and eLMNFu, known as “suffergrime” on various forums and operating under multiple other aliases, including duckfuck, cryptplease, ultracool2201, borodach, and dedo4ek, appears to have used StealC alongside Lumma. Stealc is a modular, evasive information stealer written in C and distributed as an MaaS. More specifically, suffergrime has been observed interacting with the Stealc management panel on the URL hxxp://94[.]232[.]249[.]208/6a6fe9d70500fe64/main.php. Insikt Group assesses that the affiliate is likely a Spanish speaker, with indications suggesting a possible origin in South America.
worldmix10k’s Interest in Wallet and Vilsa Stealer
In addition to the cases above, Insikt Group observed a Lumma affiliate associated with build ID 1dacrp and likely known as “worldmix10k” expressing interest in two additional stealers: a “Wallet Stealer” previously hosted on a GitHub repository named “poopybuthoop”, and Vilsa Stealer, an infostealer that had been publicly reported on earlier. Although the GitHub repository was no longer accessible at the time of analysis, a historical snapshot was preserved by Ecosyste.
Notably, a search for the string “worldmix10k” led Insikt Group to a Lumma sample with the build ID “1dacRP--worldmix10k”, linked to the same affiliate. This sample used techmindzs[.]live and earthsymphzony[.]today as its C2 domains, as well as a SteamCommunity URL, hxxps://steamcommunity[.]com/profiles/76561199822375128, for dead drop resolving. Insikt Group could not identify the exact infection chains linked to the sample.
Involvement in Other Scams
Analysis of multiple Lumma affiliates over the last twelve months revealed that many are not only using multiple infostealers concurrently, as outlined in the section Use of Additional Infostealers, but are also likely involved in a variety of distinct scam operations. One of these scams, linked to the Lumma affiliate known as blackowl23, drew particular attention from Insikt Group and is explored in greater detail below.
blackowl23’s Involvement in Real Estate Scam
Insikt Group uncovered evidence indicating that blackowl23 has been involved in a real estate scam in which rental listings, likely both actor-created and compromised, on platforms like the German website WG-Gesucht were used to deceive victims into making payments before apartment viewings. As part of this scheme, blackowl23 has used the email addresses immo-total[@]outlook[.]com and mwimport[@]outlook[.]de (see Figure 19).
More specifically, the affiliate claimed to have had “bad experiences in the past with people wanting to rent the property,” stating that when they “got to the property, there was no one there,” which resulted in “cancelled business appointments, wasting time and money.” Using this as justification, they asked victims to make payments via Booking.com, asserting that the process was secure and that victims would be refunded if they were dissatisfied with the apartment (see Figure 20). Notably, the same URL path (property-aid-63785823-label-gen-832513841233) observed in this activity was also seen in the final-stage URL of a rental scam campaign reported by Fortian in 2024. In that instance, victims were deceived into reserving accommodations, and the domain used appears to be a typosquatting variant, booking[.]eu-apt-booking[.]homes, hosted via Cloudflare.
Hello,
Unfortunately, no, but here attached to this email you have the booking.com link from where you can rent and check the apartment.
After we receive the booking.com confirmation that the rent procedure and the payment is completed on the platform, we can arrange the visit or the move-in directly to the apartment.
We want to let you know that the rent procedure is secured by booking.com and if you don't like the apartment you will receive the money back without any problems directly to your bank account on the same day.
Here is the booking.com link where you can check the apartment and complete the rent procedure:
hxxps://REDACTED/property-aid-63785823-label-gen-832513841233/en/528104900
Let us know if you have any questions or concerns.
After you complete the rent procedure, please send us the confirmation of it.
Figure 20: Text sent to the target of a Lumma affiliate (Source: Recorded Future)
Insikt Group also uncovered supporting evidence that the affiliate employed a similar scheme: claiming to have escrow agents worldwide, sending victims a payment link to secure a reservation, and promising that the funds would be held safely and transferred to “one of [their] available bank accounts.” In this case, Insikt Group was unable to recover the actual payment link.
While the affiliate may have created their own accounts on platforms like WG-Gesucht, evidence shows they possess a large number of compromised WG-Gesucht credentials. Insikt Group hypothesizes that at least some of these credentials were stolen through the affiliate’s Lumma infections. In this context, it's important to note that while selling logs is generally lucrative, the value of certain credentials, such as those for platforms like WG-Gesucht, likely comes from their use in follow-on scams rather than direct resale, which may explain why some buyers may show limited interest in them.
Outlook
Insikt Group’s unique investigation into Lumma affiliates uncovered a large infostealing ecosystem enabled by a diverse set of tools and services, including proxies, VPNs, anti-detect browsers, exploit kits, crypting services, and malware detection tools. During the investigation, Insikt Group identified previously unreported tools and demonstrated how affiliates frequently run multiple scams in parallel, such as rental fraud, while leveraging additional infostealers like Vidar, Stealc, and Meduza Stealer, likely to enhance success rates and reduce the impact of detection or law enforcement disruption. Looking ahead, Lumma affiliates will likely further diversify their presence across specialized and niche forums, integrating more deeply with cryptocurrency-focused platforms and encrypted messaging ecosystems, complicating detection and disruption efforts.
While many tactics and tools appear standardized across affiliates, who are likely influenced by shared guides provided by the Lumma MaaS operators, meaningful operational differences exist. These nuances are crucial for defenders, as understanding individual affiliate behaviors offers a clearer picture of how specific threats emerge and evolve within a broader ecosystem. In addition, the findings underscore that many Lumma affiliates are not casual participants, but embedded actors with deep ties to the cybercriminal underground. Their adoption of layered tool sets and diversification across malware families suggests both maturity and adaptability.
Looking ahead, although recent law enforcement efforts temporarily disrupted Lumma’s infrastructure, the group’s swift recovery with minimal changes underscores its resilience and operational discipline. The longer-term impact of the law enforcement efforts on the individual affiliates hinges on Lumma’s ability to rebuild trust and retain them, a goal it pursues through swift restoration of its infrastructure, proactive communication, and likely feature enhancements. More broadly, the recent law enforcement operations underscore how modern cybercriminal operations function as decentralized networks, where even successful disruptions tend to have only short-term effects. Sustained mitigation will require ongoing law enforcement pressure and targeted intelligence to track the evolving tactics of individual affiliates, in addition to seeking to disrupt Lumma’s infrastructure.
Appendix A — Ngioweb Botnet-Linked IP Addresses Used by Lumma Affiliate blackowl23
Appendix B — Indicators of Compromise (IoCs)
Ngioweb IP Addresses:
38[.]91[.]107[.]2
38[.]91[.]107[.]229
51[.]83[.]116[.]4
66[.]29[.]129[.]52
67[.]213[.]210[.]115
67[.]213[.]212[.]50
162[.]210[.]192[.]136
174[.]138[.]176[.]77
174[.]138[.]176[.]78
195[.]154[.]43[.]189
209[.]159[.]153[.]19
212[.]83[.]137[.]94
212[.]83[.]138[.]186
212[.]83[.]138[.]245
212[.]83[.]143[.]103
212[.]83[.]143[.]118
212[.]83[.]143[.]159
212[.]83[.]143[.]191
Lumma Sample:
b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
Meduza Panel:
hxxp://195[.]133[.]18[.]15/auth/login
Stealc Panel:
hxxp://94[.]232[.]249[.]208/6a6fe9d70500fe64/main.php
Appendix C — MITRE ATT&CK Techniques
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate