FBI and Indonesian police dismantle W3LL phishing platform, arrest developer

The takedown removes a service that enabled business email compromise (BEC) attacks against more than 17,000 victims worldwide and attempted more than $20 million in fraud across a seven-year operation.

What happened

The FBI Atlanta Field Office and the Indonesian National Police have dismantled the W3LL phishing-as-a-service platform, seizing its infrastructure and arresting the alleged developer, identified only as G.L. According to the FBI's official press release, the W3LL phishing kit sold for around $500 and allowed buyers to deploy convincing fake login pages that captured both credentials and session data, enabling them to bypass multi-factor authentication and maintain access to compromised accounts. The marketplace also sold stolen credentials and unauthorized system access. Between 2019 and 2023, W3LLSTORE facilitated the sale of more than 25,000 compromised accounts. After the store shut down in 2023, the operation moved to encrypted messaging platforms where the kit was rebranded and continued to be sold. Between 2023 and 2024, it was used against more than 17,000 victims worldwide, with the developer continuing to collect and resell access to compromised accounts. Authorities estimate the platform was tied to more than $20 million in attempted fraud.

Going deeper

W3LL was not a basic phishing tool. It operated as a full-service for cybercriminals, providing fake login pages, a marketplace for stolen credentials, and additional tools for carrying out business email compromise (BEC) attacks. Once attackers gained access to a victim's account, they would monitor the inbox, create forwarding rules, and impersonate the account holder to redirect payments and execute invoice fraud. The kit was previously linked to campaigns targeting more than 56,000 corporate Microsoft 365 accounts between 2022 and 2023, compromising at least 8,000 of them across the US, UK, Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. Cracked versions of the W3LL source code have circulated in underground markets for years, meaning copies of the kit remain available to other threat actors independently of this takedown.

What was said

The FBI said in a statement that "the takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims' accounts." FBI Special Agent in Charge Marlo Graham called W3LL "a full-service cybercrime platform" and stated that "even after W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed. From 2023 to 2024 alone, the phishing kit was used to target more than 17,000 victims worldwide."

In the know

The W3LL takedown follows a pattern of coordinated law enforcement action against Phaas' infrastructure. In early March 2026, Europol and Microsoft dismantled Tycoon 2FA, one of the largest PhaaS platforms documented to date, which had been used in attacks against Microsoft 365 and Gmail accounts across multiple sectors. Before that, Europol shut down LabHost, which provided phishing pages and live victim interaction tools for a monthly subscription fee averaging $249. Each takedown removes the central platform but not the capability already in operators' hands, a pattern the W3LL case reinforces directly, given that the operation survived the 2023 marketplace closure by migrating to encrypted messaging and that cracked source code continues to circulate independently of any enforcement action.

The big picture

W3LL operated as a subscription business selling phishing capability to non-technical actors at a price point comparable to commercial software. A kit that bypasses MFA, intercepts session cookies, and includes 16 additional BEC attack tools for $500 removes technical barriers entirely, allowing a much wider pool of actors to run sophisticated credential theft campaigns than would otherwise be possible. According to Paubox's Top 3 Healthcare Email Attacks report, phishing-driven mailbox takeovers exposed 630,000 individuals in healthcare in 2025, with credential-based breaches accounting for the largest share of exposed patient data. A platform like W3LL makes those attacks accessible to operators who could not otherwise build the infrastructure required to bypass MFA. Platforms that survive takedowns through rebranding and migration to encrypted messaging channels remain accessible even after law enforcement action, meaning the removal of the developer and infrastructure does not immediately neutralize capability already distributed to hundreds of operators.

FAQs

What is adversary-in-the-middle phishing, and why does it defeat standard MFA?

An AiTM attack proxies a victim's real login session through attacker-controlled infrastructure, capturing not just the username and password but also the session cookie that is issued after MFA is completed. The attacker uses that cookie to authenticate as the victim without needing to repeat the MFA step, meaning the protection that MFA provides is negated entirely.

How does a phishing-as-a-service platform differ from a one-off phishing kit?

A PhaaS platform provides a managed subscription service including phishing templates, infrastructure, technical support, and updates, enabling buyers with no programming skills to run sophisticated attacks at scale. The provider collects a fee and often takes a cut of profits from successful fraud, creating an ongoing commercial incentive to maintain and improve the tooling.

Why did the W3LL operation continue after the store shut down in 2023?

Operators migrated to encrypted messaging platforms where the toolkit continued to be marketed and sold. The technical capability had already been distributed to hundreds of buyers, and cracked versions of the source code circulated separately, meaning the platform's closure removed the central marketplace but not the tools already in operators' hands.

What makes healthcare organizations particularly exposed to BEC attacks enabled by platforms like W3LL?

Healthcare organizations process high volumes of vendor invoices, insurance payments, and billing communications. BEC operators target this workflow by using compromised accounts to insert fraudulent payment instructions into established email threads, relying on the legitimacy of the hijacked account to bypass scrutiny. Healthcare's reliance on trusted vendor relationships and routine financial communications creates a predictable environment for invoice redirection fraud.