W3LL phishing kit takedown disrupts global credential theft and MFA bypass operation
5 min. read 
Published on
The FBI and Indonesian authorities say they have dismantled the infrastructure behind the W3LL phishing kit, a phishing-as-a-service operation tied to large-scale credential theft and more than $20 million in attempted fraud. The FBI’s Atlanta field office said the operation targeted thousands of victims worldwide and led to the detention of the alleged developer in Indonesia, identified only as G.L.
The case matters because W3LL was not just a fake-login-page builder. According to the FBI, the kit captured both usernames and session data, which let attackers bypass multi-factor authentication and keep access to compromised accounts. That gave lower-skilled criminals a ready-made path into corporate systems without building their own tooling.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Investigators say the phishing kit sold for about $500 and sat inside a larger criminal ecosystem that included W3LLSTORE, a marketplace for stolen credentials, remote desktop access, and other cybercrime services. Public reporting and threat intelligence research show this ecosystem had already operated for years before the takedown and kept evolving after earlier exposure.
Why this takedown matters
This takedown hits a service that helped industrialize account compromise. The FBI said W3LL let criminals deploy phishing pages that closely copied trusted login portals, then use stolen credentials and session data to maintain access. That made the operation more dangerous than a basic password-stealing kit.
Group-IB, which investigated W3LL for years and shared findings with law enforcement, describes the ecosystem as one of the most sophisticated business-email-compromise-focused phishing operations it tracked. The company says W3LL’s tools enabled more than 500 cybercriminals and included a phishing kit called W3LL Panel, also known as OV6, plus a wider toolkit aimed at compromising Microsoft 365 accounts.
The operational model also explains why this case drew so much attention. According to the FBI, this was a first-of-its-kind joint cyber investigation between the FBI Atlanta field office and Indonesian law enforcement focused on a phishing kit developer. That gives the case weight beyond the arrest itself because it shows law enforcement trying to disrupt the developers and support services behind phishing, not only the end users.
How W3LL worked
At its core, W3LL sold a phishing kit designed to copy legitimate sign-in portals and trick users into handing over credentials. But the more important feature was adversary-in-the-middle capability. Group-IB says W3LL Panel could hijack session cookies, validate stolen credentials, and give attackers access to victim accounts after login.
That model fits a broader trend Microsoft has warned about in other phishing-kit investigations. Microsoft says modern AiTM phishing kits lower the barrier for less skilled attackers by making MFA bypass possible at scale through session theft. W3LL appears to have offered the same kind of advantage to cybercriminals targeting enterprise accounts.
W3LLSTORE expanded that business further. The FBI said the marketplace sold compromised accounts and remote desktop access, while Group-IB says the wider ecosystem also included tools for reconnaissance, phishing delivery, and victim data handling. In other words, buyers did not just get a phishing page. They could tap into a broader supply chain for business email compromise and account fraud.
Scale, victims, and what changed after exposure
The FBI says W3LLSTORE facilitated the sale of more than 25,000 compromised accounts between 2019 and 2023. It also said that after the operation rebranded and moved to encrypted messaging channels, the phishing kit targeted more than 17,000 victims worldwide between 2023 and 2024. Authorities tied the activity to over $20 million in attempted fraud.
Group-IB’s separate research suggests the full impact may stretch even further. In its earlier 2023 analysis, the company said W3LL-linked campaigns targeted more than 56,000 corporate Microsoft 365 accounts across the United States, United Kingdom, Australia, and Europe. The sectors included manufacturing, IT, financial services, consulting, healthcare, and legal services.
Even after earlier public exposure, W3LL did not disappear. Group-IB says the storefront briefly shut down, then reemerged under a new name through an automated Telegram bot. That point matters because takedowns can break infrastructure, but successful criminal services often try to re-form around new channels unless investigators keep pressure on the wider ecosystem.
W3LL at a glance
| Item | Confirmed detail |
|---|---|
| Main service | W3LL phishing kit / W3LL Panel |
| Core capability | Credential theft plus session theft for MFA bypass |
| Marketplace | W3LLSTORE |
| Price | About $500 for the phishing kit |
| Accounts sold through W3LLSTORE | More than 25,000 from 2019 to 2023 |
| Victims targeted after rebrand | More than 17,000 between 2023 and 2024 |
| Fraud linked by authorities | More than $20 million attempted |
| Law enforcement action | FBI seized infrastructure; Indonesian police detained alleged developer |
What defenders should take from this case
- Move high-value users to phishing-resistant authentication such as FIDO2 security keys where possible. Group-IB specifically recommends FIDO 2.0 against W3LL-style attacks.
- Monitor for suspicious session behavior, odd mailbox activity, forwarding rules, and unexpected account changes after login. Group-IB lists these as important signals in BEC-focused phishing incidents.
- Treat session-cookie theft as seriously as password theft. The FBI said W3LL captured session data specifically to bypass MFA and maintain access.
- Build controls around phishing-domain detection and takedown, not only inbox filtering. Group-IB says proactive detection of phishing infrastructure should sit inside a broader mitigation strategy.
FAQ
W3LL was a phishing-as-a-service operation centered on a phishing kit and a supporting marketplace. The FBI says it let criminals create fake login pages, steal credentials, capture session data, and bypass MFA.
Because it did not stop at usernames and passwords. The kit also captured session data, which let attackers keep access after login and bypass multi-factor authentication.
The FBI Atlanta field office and Indonesian law enforcement carried out the operation. The FBI described it as a first-of-its-kind joint cyber investigation targeting a phishing kit developer.
Not necessarily. Group-IB says W3LL previously reappeared through encrypted messaging after earlier exposure. The takedown is significant, but defenders should expect copycats and possible successor services. This is an inference based on the past rebrand pattern and how phishing-as-a-service ecosystems work.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages