FBI, Indonesia take down W3LL phishing tool

Steven

FBI, Indonesia take down W3LL phishing tool

Summary

The FBI and Indonesian law enforcement disrupted W3LL, a widely used phishing kit and marketplace that let criminals build convincing fake login portals and trade harvested credentials. Authorities seized hosting infrastructure and domains, and arrested the alleged developer, identified only as G.L.

W3LL and its marketplace, W3LLSTORE, reportedly offered thousands of compromised accounts and tools designed to bypass multifactor authentication (MFA). Group-IB and the FBI link the platform to tens of thousands of targeted Microsoft 365 accounts and millions in attempted fraud.

Key Points

  • W3LL was a full-service phishing platform enabling easy creation of fake login portals for about $500.
  • FBI Atlanta seized infrastructure; Indonesian police arrested the alleged developer and took key domains.
  • The kit captured credentials and was designed to bypass MFA, keeping attackers persistent access to accounts.
  • W3LLSTORE listed over 25,000 compromised accounts for sale between 2019 and 2023 and is linked to attempts to steal more than $20 million.
  • Group-IB reported W3LL tools were used to target over 56,000 corporate Microsoft 365 accounts across multiple countries.
  • Although W3LLSTORE shut in 2023, the toolkit persisted on encrypted messaging platforms and continued being used in attacks into 2024.

Context and relevance

This takedown sits within a broader FBI push against cybercrime marketplaces and subscription phishing kits that facilitate business email compromise and large-scale credential theft. The action follows other 2026 takedowns (Leakbase, RAMP) and mirrors international cooperation seen in prior arrests tied to similar kits like RaccoonO365.

For organisations and security teams this is significant: the operation targeted tools that specifically bypass MFA and monetise stolen access, highlighting persistent threats to enterprise email and remote-desktop access.

Author style

Punchy: a clear law-enforcement win that matters. This isn’t a small nuisance — it’s a dismantling of an organised, money-making phishing ecosystem that helped criminals scale MFA-bypassing attacks. If you care about corporate email security or incident response, this is worth digging into.

Why should I read this?

Quick heads-up: this matters because W3LL powered large-scale MFA-bypass attacks and a marketplace selling thousands of credentials. We’ve cut the noise — read this to understand why your Microsoft 365 tenants, remote-desktop access and staff login behaviours are still favourite targets, and why keeping tabs on phishing-kit trends is essential for defences.

Source

Source: https://therecord.media/phishing-takedown-indonesia-fbi