THE FBI, in partnership with the Indonesian National Police, has dismantled the infrastructure behind a global phishing operation that used the off‑the‑shelf W3LL toolkit to steal thousands of victims’ credentials and attempt more than $20 million in fraud. Authorities detained the alleged developer, identified as G.L, and seized key domains connected to the phishing scheme, according to the FBI.
The W3LL phishing kit enabled criminals to create bogus login pages that mimicked legitimate portals to harvest credentials, and it was advertised for a fee of about $500. The FBI noted that the W3LL Store facilitated sales of stolen credentials and unauthorised access, with more than 25,000 compromised accounts peddled between 2019 and 2023, and that the operation has been active since 2017.
The campaign was described as a full‑service cybercrime platform by FBI officials, with Hunt[.]io reporting that the kit primarily targeted Microsoft 365 credentials and used adversary‑in‑the‑middle to hijack session cookies and bypass multi‑factor authentication. The takedown follows prior reporting that W3LLStore shut down in 2023, though the operation continued via encrypted platforms and rebranding, according to the FBI.