FBI Seizes W3LL Phishing Kit, Developer Arrested in Indonesia

The FBI Atlanta Field Office and Indonesian National Police have dismantled W3LL, a phishing-as-a-service platform that powered more than $20 million in fraud attempts against corporate Microsoft 365 accounts. Indonesian authorities arrested the alleged developer, identified only as G.L., marking the first coordinated U.S.-Indonesia enforcement action against a phishing kit operator.

"This wasn't just phishing—it was a full-service cybercrime platform," said Marlo Graham, FBI Atlanta Special Agent in Charge. U.S. authorities seized the infrastructure supporting the W3LL kit while Indonesian police detained the developer.

How W3LL Operated

W3LL consisted of two interconnected components. The phishing kit itself sold for approximately $500 per three-month subscription, with $150 monthly renewals. It enabled criminals to deploy fake corporate login pages that looked nearly identical to legitimate Microsoft 365 portals.

The platform's technical sophistication set it apart from commodity phishing kits. W3LL employed adversary-in-the-middle techniques to proxy authentication requests through attacker-controlled infrastructure. This allowed operators to intercept credentials in real-time, capture one-time MFA codes as victims entered them, and steal session cookies after authentication completed.

With a valid session cookie in hand, attackers bypassed multi-factor authentication entirely—a technique we've seen repeatedly in enterprise credential theft campaigns targeting Microsoft 365. The victim completed a genuine login. The attacker walked away with full account access.

Once inside, W3LL users monitored inboxes and created mail rules to intercept communications—standard tactics for business email compromise schemes where attackers redirect payment instructions or impersonate executives to authorize fraudulent transfers.

Scale of the Operation

W3LLSTORE, the underground marketplace associated with the kit, operated from 2019 through 2023. During that period, operators peddled more than 25,000 compromised account credentials to an estimated 500 threat actors in the closed community.

After W3LLSTORE went dark, the criminal ecosystem adapted. Operators migrated to encrypted messaging platforms and continued selling access to the W3LL toolkit. Between 2023 and 2024, threat actors using W3LL targeted more than 17,000 additional victims worldwide.

This takedown follows a similar pattern we saw with Tycoon 2FA in March, when Europol and Microsoft seized 330 domains powering another massive phishing-as-a-service operation. That platform accounted for 62 percent of all phishing attempts Microsoft blocked at its peak. The W3LL operation, while smaller in scale, demonstrated the same MFA-bypassing techniques that have made these platforms so effective.

Industries Targeted

According to Group-IB research that first exposed W3LL in September 2023, the kit targeted a broad range of sectors:

• Manufacturing
• IT and consulting services
• Financial services
• Healthcare
• Legal services

The geographic focus concentrated on English-speaking markets—primarily the United States, United Kingdom, Australia, and Canada—along with Germany, France, the Netherlands, Switzerland, and Italy.

Why This Matters

Phishing-as-a-service platforms have democratized sophisticated attacks. A decade ago, bypassing MFA required custom development and technical expertise. Today, a $500 subscription grants access to turnkey infrastructure that captures session tokens and defeats the security control most organizations rely on to protect remote access.

The FBI's 2025 Internet Crime Report documented $20 billion in cybercrime losses, with business email compromise accounting for a significant portion. Platforms like W3LL sit at the center of that economy, providing the initial access that enables downstream fraud.

The W3LL developer's arrest sends a message, but the ecosystem will adapt. Dozens of similar platforms continue operating, and the adversary-in-the-middle technique has become standard practice. Organizations should assume that MFA alone won't stop determined attackers and should implement phishing-resistant authentication methods like hardware security keys or passkeys where possible.

What Organizations Should Do

1. Deploy phishing-resistant MFA—FIDO2 hardware keys and passkeys resist adversary-in-the-middle attacks because they're bound to specific domains
2. Monitor for suspicious mail rules—attackers creating forwarding rules or inbox filters is a classic BEC indicator
3. Review conditional access policies—restrict session lengths and require re-authentication from unfamiliar locations
4. Train employees on AiTM phishing—traditional "check the URL" advice doesn't help when session hijacking occurs after legitimate authentication

The takedown represents meaningful enforcement action, but the underlying business model remains profitable. As long as organizations depend on phishable authentication factors, these platforms will find customers.