FBI takedown of W3LL phishing service leads to developer arrest

Summary

The FBI Atlanta Field Office and Indonesian authorities have shut down the W3LL phishing kit service and arrested its alleged developer in the first coordinated US-Indonesia enforcement action against a phishing kit creator. The platform sold phishing kits for $500 and operated a marketplace that facilitated the sale of over 25,000 compromised accounts between 2019 and 2023, with victims totaling more than 17,000 worldwide between 2023-2024. The kit was designed to steal credentials and session tokens to bypass multi-factor authentication, enabling business email compromise and invoice fraud attacks primarily targeting Microsoft 365 accounts.

Full text

FBI takedown of W3LL phishing service leads to developer arrest By Lawrence Abrams April 13, 2026 02:55 PM 0 The FBI Atlanta Field Office and Indonesian authorities have dismantled the "W3LL" global phishing platform, seizing infrastructure and arresting the alleged developer in what is described as the first coordinated enforcement action between the United States and Indonesia targeting a phishing kit developer. The W3ll Store was a phishing kit and online marketplace that enabled cybercriminals to steal thousands of credentials and attempt more than $20 million in fraud. "This Website Has Been Seized as part of a coordinated law enforcement action taken against W3LL STORE," reads a seizure message on w3ll[.]store website. "The domain for w3ll.store has been seized by the Federal Bureau of Investigation in accordance with a seizure warrant issued pursuant to 18 U.S.C. §§ 981 and 982 by the United States District Court for the Northern District of Georgia as part of a joint law enforcement action by the Federal Bureau of Investigation." Seizure banner shown on the W3LL Store siteSource: BleepingComputer The W3LL phishing kit sold for $500 and allowed attackers to create convincing replicas of corporate login portals to harvest credentials. The kit allowed threat actors to capture authentication session tokens, enabling attackers to bypass multi-factor authentication and gain access to compromised accounts. W3LL Store and W3LL Panel administrationSource: Group-IB The threat actor also offered a marketplace called W3LLSTORE, where stolen credentials and unauthorized network access were bought and sold. "This wasn't just phishing—it was a full-service cybercrime platform," said FBI Special Agent Charge Marlo Graham. Authorities say the marketplace facilitated the sale of more than 25,000 compromised accounts between 2019 and 2023, and even after W3LLSTORE shut down, the operation continued through encrypted messaging platforms, where the toolkit was rebranded and sold to other threat actors. Between 2023 and 2024, the phishing kit was used to target more than 17,000 victims worldwide, with investigators finding that the developer collected and resold access to compromised accounts. The W3LL phishing platform was previously linked to campaigns targeting Microsoft 365 corporate accounts and was designed to support business email compromise (BEC) attacks from initial access through post-exploitation. The phishing kit relied on adversary-in-the-middle attacks, which is when legitimate login portals are proxied through an attacker's infrastructure. This allows the threat actors to monitor for and intercept credentials, one-time MFA passcodes, and session cookies in real time. These session cookies could then be used to log into the compromised accounts without triggering MFA authentication challenges. Once access was obtained, attackers would monitor inboxes, create email rules, and impersonate victims to commit invoice fraud and redirect payments in BEC attacks. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Tycoon2FA phishing platform returns after recent police disruptionNew VENOM phishing attacks steal senior executives' Microsoft loginsFBI: Americans lost a record $21 billion to cybercrime last yearDevice code phishing attacks surge 37x as new kits spread onlineNew EvilTokens service fuels Microsoft device code phishing attacks

Indicators of Compromise

• domain — w3ll.store
• malware — W3LL
• malware — W3LLSTORE

Entities