FBI, Indonesia take down W3LL phishing tool

A widely used phishing tool called W3LL was disrupted by the FBI and law enforcement agencies in Indonesia on Friday. The phishing kit allowed hackers to create fake websites that looked like legitimate login portals for just $500. 

The FBI’s Atlanta office said it “identified and seized infrastructure facilitating the phishing service.” The Indonesian National Police arrested the alleged developer behind the platform and also seized some critical domains tied to the platform. 

"This wasn’t just phishing — it was a full-service cybercrime platform," said Marlo Graham, a special agent in charge at FBI Atlanta.

The platform was designed to trick victims into entering credentials into fake portals, which would be captured and used to bypass multifactor authentication, allowing cybercriminals to maintain their access to accounts.

The FBI said the phishing kit was backed by an online marketplace called W3LLSTORE that offered up individuals’ login details and credentials for remote desktops. 

The platform advertised more than 25,000 compromised accounts for sale between 2019 and 2023 — enabling cybercriminals to “steal thousands of victims’ account credentials and attempt more than $20 million in fraud.”

Cyber experts at Group IB said the platform “served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, as well as 16 other fully customized tools for business email compromise (BEC) attacks.”

“Group-IB investigators identified that W3LL’s phishing tools were used to target over 56,000 corporate Microsoft 365 accounts in the USA, UK, Australia and Europe between October 2022 and July 2023,” the company said, noting that it was reporting its findings to law enforcement. In the last 10 months, the researchers said, W3LL’s earnings likely reached half a million dollars.

The W3LLSTORE shut down in 2023 but lived on through encrypted messaging platforms, according to the FBI. Cybercriminals continued marketing the tool, and from 2023 to 2024 it was used in attacks on 17,000 victims globally. 

The developer behind the platform, who the FBI identified only as G.L, allegedly personally collected and resold access to compromised accounts.

The FBI said last week that cyber-enabled fraud accounted for the overwhelming majority of all losses reported to their Internet Crime Complaint Center (IC3) in 2025, with a staggering $17.6 billion stolen.

The agency has taken down two large cybercrime forums in 2026 — subscription-based platform Leakbase and Russian marketplace RAMP. 

The FBI also worked with Nigerian police in December to arrest one of the alleged developers behind the RaccoonO365 subscription phishing kit. Like W3LLSTORE, RaccoonO365 was used to create fake Microsoft login portals aimed at harvesting user credentials and unlawfully accessing the email platforms of corporate, financial, and educational institutions.