Joint Operation Brings Down Notorious Phishing Infrastructure
A sophisticated phishing platform known as W3LL was disrupted on Friday following a coordinated operation between the FBI and law enforcement authorities in Indonesia. The takedown targeted infrastructure that had enabled cybercriminals to construct convincing fake login portals for as little as $500, providing an accessible entry point into large-scale credential theft.
The FBI's Atlanta field office announced that it had "identified and seized infrastructure facilitating the phishing service," while the Indonesian National Police arrested the alleged developer behind the platform and seized critical domains connected to its operations.
"This wasn't just phishing — it was a full-service cybercrime platform," said Marlo Graham, a special agent in charge at FBI Atlanta.
How W3LL Operated
At its core, W3LL was engineered to deceive victims into entering their credentials into fraudulent login portals. Once captured, those credentials were weaponized to bypass multifactor authentication, granting cybercriminals persistent access to compromised accounts.
Underpinning the platform was an online marketplace called W3LLSTORE, which offered stolen login credentials and remote desktop access for sale. Between 2019 and 2023, the platform advertised more than 25,000 compromised accounts, enabling criminals to steal thousands of victims' credentials and attempt more than $20 million in fraud.
Scale of the Threat: Group-IB Findings
Cyber intelligence firm Group-IB provided critical research that informed law enforcement's understanding of the platform's reach. According to the company, W3LL "served a closed community of at least 500 threat actors" who could purchase a custom phishing kit called W3LL Panel — specifically designed to bypass MFA — along with 16 other fully customized tools built for business email compromise (BEC) attacks.
Group-IB investigators determined that W3LL's phishing tools were used to target over 56,000 corporate Microsoft 365 accounts across the USA, UK, Australia, and Europe between October 2022 and July 2023. The company noted it had reported its findings to law enforcement as part of its ongoing cooperation.
Over a ten-month period, the researchers estimated that W3LL's earnings likely reached approximately half a million dollars.
Platform's Evolution After 2023
Although W3LLSTORE shut down in 2023, the platform did not disappear entirely. According to the FBI, cybercriminals continued marketing and distributing the tool through encrypted messaging platforms. Between 2023 and 2024, W3LL was used in attacks on an estimated 17,000 victims globally, demonstrating the resilience of cybercrime ecosystems even after marketplace closures.
The individual alleged to be behind the platform was identified by the FBI only as G.L. This person allegedly took a hands-on role in personally collecting and reselling access to compromised accounts, going beyond simply developing the tool.
Broader Context: FBI Cybercrime Enforcement in 2026
The W3LL takedown fits into an intensifying pattern of FBI action against cybercrime infrastructure. Last week, the agency reported that cyber-enabled fraud accounted for the overwhelming majority of losses reported to its Internet Crime Complaint Center (IC3) in 2025, with a staggering $17.6 billion stolen.
So far in 2026, the FBI has brought down two major cybercrime forums:
- Leakbase — a subscription-based platform used for trading stolen data
- RAMP — a Russian-language cybercrime marketplace
Parallel Case: RaccoonO365 Phishing Kit
The W3LL operation echoes another recent enforcement action. In December, the FBI collaborated with Nigerian police to arrest one of the alleged developers behind the RaccoonO365 subscription phishing kit. Like W3LLSTORE, RaccoonO365 was designed to generate fake Microsoft login portals aimed at harvesting credentials and gaining unauthorized access to the email platforms of corporate, financial, and educational institutions.
Together, these cases underscore a growing law enforcement focus on dismantling phishing-as-a-service ecosystems that lower the barrier to entry for cybercriminals and enable fraud at industrial scale.
Source: The Record