LUMMA STEALER STILL ACTIVE? AFTER FBI CRACKDOWN!

**Executive summary:** This investigation documents Lumma Stealer activity observed 21–22 May 2025: despite an FBI seizure of ~2,300 public domains, operators quickly reconstituted infrastructure and continued selling harvested credentials and cookies via a Telegram shop; the report includes victim counts (global distribution and country breakdowns), victim IP lists and IOCs (domains and IP addresses) demonstrating active exploitation and ongoing criminal commerce of stolen data.