FBI Cyber Leader: Threat Actors Need ‘No Technical Skills’ To Carry Out Advanced Attacks

The case of the prolific LummaC2 malware operation shows what MSPs are up against in an intensifying threat environment, according to FBI Supervisory Special Agent Nathan Hopp.

Threat actors no longer need to acquire the technical knowledge to develop malware in order to carry out highly sophisticated cyberattacks, according to an FBI cybersecurity leader.

During a keynote Monday at XChange Security 2026, FBI Supervisory Special Agent Nathan Hopp said that the case of the prolific LummaC2 malware operation shows what MSPs are up against in an intensifying threat environment.

[Related: Why MSPs Need To Become ‘Managed Trust Providers’ In The AI Era: Expert]

Hopp, who is supervisor of the FBI’s cybercriminal squad in Dallas, helped lead the disruption of LummaC2 in May 2025.

“We now live in a day and age where you don’t have to have any technical skills to facilitate a devastating attack,” he told an audience of MSP and MSSP executives during XChange Security 2026, which is hosted by CRN parent The Channel Company and being held this week in Frisco, Texas.

“LummaC2 is a prime example of that,” Hopp said. “You have to have no technical skills. You can buy your access, you can buy your piece of malware. And you can drop it on there and steal everything—I mean everything—from your victim.”

The case is emblematic of how malware-as-a-service has provided advanced cyberattack capabilities to threat actors who otherwise would be incapable of operating malware themselves, he said.

LummaC2 was an information-stealing malware tool offered through an inexpensive monthly subscription, and the subscription also included customer support.

Once installed, LummaC2 could steal browser data and autofill information, as well as credentials used to access email or banking services, the Justice Department disclosed in May 2025 while announcing the disruption of the LummaC2 operation.

The FBI identified at least 1.7 million instances in which LummaC2 was used to steal such information, the Justice Department said at the time.

LummaC2 targeted both individual users and businesses—and in many cases, the initial information-stealing malware deployment served as a precursor to ransomware or data extortion, Hopp said.

Notably, the LummaC2 platform was also used by nation-state threat actors, which could “very cheaply” gain access to robust malware while also being able to “hide in the noise” and make their activities more difficult to distinguish from typical cybercrime, he said.

For MSPs and their SMB customers, the decreasing level of expertise needed to launch attacks as a result of malware-as-a-service has been a major factor for years now, according to Tanaz Choudhury, president of TanChes Global Management, a Houston-based MSP.

Yet while larger businesses typically have more security personnel and infrastructure available to respond to such sophisticated attacks, smaller organizations lack those resources, Choudhury said.

“Smaller companies don’t have the privilege of having all of that infrastructure behind them,” she said. “That can be a lot more devastating [for an SMB]. The small guys are not going to be able to survive that.”

The widespread and rising usage of AI by threat actors—and the likelihood of quantum-accelerated attacks down the road—are only going to exacerbate the threats going forward to SMBs and the MSPs that aim to protect them, meanwhile, said Chesley Choudhury, chairman and founder of TanChes Global Management.

“In terms of MSPs in our country, I think, as a nation, we are all not prepared for what’s coming,” he said.