Global Phishing Infrastructure Dismantled: FBI and Indonesian Police Takedown W3LL Network

TL;DR

The FBI and Indonesian National Police have successfully dismantled the infrastructure of the W3LL phishing network, a global operation responsible for over $20 million in fraud attempts. The alleged developer, identified as "G.L," has been detained, and key domains have been seized. The operation targeted Microsoft 365 accounts using advanced Adversary-in-the-Middle (AitM) techniques to bypass multi-factor authentication (MFA).

---

A Global Strike Against Phishing-as-a-Service

In a significant blow to the cybercrime ecosystem, a joint operation between the U.S. Federal Bureau of Investigation (FBI) and the Indonesian National Police has deactivated the infrastructure supporting the W3LL phishing toolkit.

For years, W3LL served as a "full-service cybercrime platform," providing low-level threat actors with sophisticated tools to execute high-impact Business Email Compromise (BEC) attacks. According to FBI statements, the takedown successfully cuts off a primary resource that criminals used to gain unauthorized access to thousands of victim accounts worldwide.

The Rise of the W3LL Store

The W3LL operation was not merely a single tool but a comprehensive underground marketplace known as the W3LL Store. First documented by cybersecurity firm Group-IB in September 2023, the store served approximately 500 threat actors.

For a fee of roughly $500, criminals could purchase the "W3LL Panel," an all-in-one phishing kit. The storefront offered a suite of illicit services, including:

• Customized phishing tools.
• Targeted mailing lists.
• Access to compromised servers.
• Stolen credentials and Remote Desktop Protocol (RDP) access.

Between 2019 and 2023, the FBI estimates that more than 25,000 compromised accounts were sold through this illicit marketplace.

Technical Sophistication: Bypassing MFA

The W3LL toolkit was particularly dangerous due to its focus on Microsoft 365 credentials. Unlike basic phishing pages, W3LL utilized Adversary-in-the-Middle (AitM) techniques.

By acting as a proxy between the victim and the legitimate login portal, the kit could hijack session cookies. This allowed attackers to bypass Multi-Factor Authentication (MFA), effectively seizing control of accounts even when victims had secondary security measures in place.

Analysis from security firms Hunt.io and Sekoia further revealed the kit's influence; code from the W3LL Store was found reused in other phishing tools like "Sneaky 2FA," and cracked versions of the kit had been circulating within the criminal underworld for years.

The Developer and the Impact

The alleged mastermind behind the toolkit, identified by authorities as G.L, is believed to have been active in the cybercrime space since 2017. Before W3LL, G.L was linked to the development of bulk email spam tools such as PunnySender and W3LL Sender.

Despite the W3LL Store officially shutting down in 2023, the operation didn't stop. The FBI noted that the group migrated to encrypted messaging platforms, rebranding their tools to continue their campaign. Between 2023 and 2024 alone, the kit was used to target more than 17,000 victims globally.

"The developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme," the FBI stated.

Conclusion

The dismantling of the W3LL infrastructure represents a major victory for international law enforcement. By removing the developer and seizing the underlying domains, authorities have disrupted a supply chain that facilitated over $20 million in attempted fraud.

However, the history of W3LL—migrating from web stores to encrypted apps—serves as a reminder of the resilience of cybercrime syndicates. Organizations are encouraged to remain vigilant, particularly regarding Microsoft 365 security and the evolving nature of AitM phishing attacks.

---

Source: https://thehackernews.com/2026/04/fbi-and-indonesian-police-dismantle.html