Some of the links on this site may be affiliate links. ICOBench may receive advertising commissions when users visit recommended platforms via our affiliate links, at no additional cost to you. All recommendations are based on a comprehensive review process. 
Cybersecurity researchers have uncovered a new wave of attacks where hackers deploy fake CAPTCHA verification screens to trick unsuspecting users into installing Lumma Stealer, a fileless malware designed to harvest sensitive data.
The malicious CAPTCHA screens, which look identical to legitimate ones, can even appear while browsing trusted websites. When users click the “I’m not a robot” checkbox, an error message pops up, instructing them to follow steps to “fix” alleged network instability. In reality, those steps execute malicious code that compromises the device.
According to security firm DNSFilter, more than 17% of users exposed to these fake CAPTCHAs interacted with them, an unusually high success rate for cybercriminal campaigns.
Lumma Stealer: A malware-as-a-service threat
First appearing in recent years, Lumma Stealer has become a persistent cyber threat. Unlike one-off malware strains, it operates as a subscription-based service, with monthly plans starting at $250. For criminals, the potential payoff far outweighs the entry cost: in 2023 alone, Lumma-related thefts were estimated at $36.5 million.
Authorities, including Microsoft and U.S. law enforcement, have seized thousands of domains hosting Lumma variants, but the malware quickly resurfaces. Security firm Trend Micro recently warned that Lumma Stealer has refined its tactics since May 2025, making it more effective at bypassing defenses.
The malware is capable of:
- Stealing passwords and login credentials
- Breaking through two-factor authentication (2FA) systems
- Draining crypto wallets
- Exfiltrating other sensitive personal and financial data
🚨 From stolen credentials to FBI disruption, the Lumma Stealer network shows how deep cybercrime runs, and how fast it can unravel. Discover how this Telegram-fuelled malware-as-a-service operation operated in plain sight, and what its takedown means for the threat landscape.… pic.twitter.com/J0UaNALL0a
— FalconFeeds.io (@FalconFeedsio) May 30, 2025
A growing threat to crypto holders
Lumma Stealer is particularly dangerous for cryptocurrency investors, as it can compromise browser-stored credentials and authentication tokens. With direct access to wallet information, hackers can siphon off digital assets in seconds.
Experts warn crypto users to adopt layered security practices:
- Use dedicated wallets for different purposes (trading, savings, DeFi, etc.)
- Consider cold wallets (offline storage) for substantial holdings
- Avoid storing sensitive keys and passwords in web browsers
- Always verify unexpected CAPTCHA requests before interacting
In an age where even a CAPTCHA can be weaponized, the best defense is vigilance.
