US Federal Bureau of Investigation (FBI) agents, working with Indonesia’s National Police, have dismantled the infrastructure behind the W3LL phishing kit, a global cybercrime service used to steal thousands of user credentials and attempt fraud schemes exceeding $20 million. During the coordinated action, law enforcement arrested the alleged developer, identified as G.L., and seized multiple domains and servers that powered the operation.
Global takedown of the W3LL phishing ecosystem
W3LL operated as a commercial phishing kit: a ready-made toolkit that allowed attackers to rapidly deploy fake login pages closely mimicking legitimate services. Once victims entered their usernames and passwords, those credentials were immediately captured and sent to the operators, granting remote access to email and cloud accounts.
According to Singapore-based security firm Group-IB, W3LL grew far beyond a simple kit into a full-fledged cybercrime ecosystem. Its underground marketplace, known as W3LL Store, catered to around 500 active threat actors. In addition to the core W3LL Panel phishing module, the store sold tools for business email compromise (BEC)
FBI reporting indicates that W3LL Store also served as a hub for trading stolen credentials and remote access, including Remote Desktop Protocol (RDP) logins and other system accesses. Between 2019 and 2023, more than 25,000 compromised accounts were advertised or sold through the platform. The developer behind W3LL had allegedly been active since at least 2017, previously creating mass-mailing utilities such as PunnySender and W3LL Sender to support large-scale spam and phishing operations.
How the W3LL phishing kit targeted Microsoft 365 and bypassed MFA
Adversary‑in‑the‑Middle attacks and theft of session cookies
The primary focus of W3LL was corporate Microsoft 365 accounts, a critical target because access to business email is often the first step in BEC schemes that manipulate invoices, payment details, or sensitive communications. A March 2024 report by Hunt.io notes that W3LL heavily used an Adversary-in-the-Middle (AiTM) approach.
In an AiTM phishing attack, the victim is quietly proxied through an attacker-controlled server that sits between the user and the legitimate Microsoft login page. While the victim sees what appears to be a genuine site and may even successfully pass multi-factor authentication (MFA), the attacker intercepts the entire exchange, including session cookies that prove the user is already authenticated.
With these stolen cookies, W3LL’s customers could bypass MFA protections by replaying the session and logging in without additional prompts. For organizations, this demonstrates that MFA alone is no longer sufficient when facing advanced phishing kits that can capture and reuse authentication sessions in real time.
Security best practices now increasingly emphasize phishing-resistant authentication, such as FIDO2 hardware security keys and passkeys, combined with device-based signals and robust monitoring for anomalous logins, including unusual geography, devices, or access patterns.
Evolution, leaks, and copycat phishing kits
Analysis by French cybersecurity firm Sekoia of another kit, Sneaky 2FA, revealed code fragments apparently borrowed from W3LL, illustrating how successful tools often seed new generations of phishing kits. Over recent years, multiple cracked versions of W3LL have circulated on underground forums, further spreading its techniques beyond the original operators’ control.
Even after W3LL Store formally shut down in 2023, the operation did not disappear. According to the FBI, the kit was rebranded and redistributed via encrypted messaging platforms, continuing to be used in campaigns worldwide. From 2023 to 2024 alone, this rebranded kit was deployed against more than 17,000 victims across multiple countries.
Investigators also allege that the developer retained direct access to many compromised accounts, aggregating them and reselling the credentials to other cybercriminal groups. This model amplified the overall damage, as the same stolen data could fuel multiple, unrelated criminal schemes.
What the W3LL takedown means for enterprise cybersecurity
In its public statement, the FBI emphasized that dismantling W3LL’s infrastructure has removed a major enabler of unauthorized account access from the cybercrime ecosystem. A representative from the FBI’s Atlanta field office described W3LL not as a simple phishing campaign, but as “a cybercrime-as-a-service platform,” and stressed the importance of ongoing international cooperation to disrupt similar services.
For businesses, the W3LL case underscores how far phishing-as-a-service has evolved. Commercial kits dramatically lower the barrier to entry, allowing relatively inexperienced attackers to launch sophisticated campaigns with AiTM capabilities, MFA bypass, and targeted BEC attacks against Microsoft 365 and other cloud services.
Effective defense requires a layered strategy: regular security awareness training so employees recognize phishing signals; deployment of phishing-resistant MFA (hardware tokens, passkeys); strict access controls for email and cloud applications; and continuous monitoring of sign-in behavior by geography, device, and risk level. Rapid incident response workflows for suspicious messages or abnormal account activity are equally critical.
As law enforcement continues to take down high-profile platforms like W3LL, organizations should not assume the threat is diminishing. Successors, copycats, and cracked variants will continue to emerge. Regularly revisiting authentication strategies, email security controls, and user training in light of evolving phishing kits is essential for reducing exposure to the next W3LL-like operation.
