The **W3LL** Store, a notorious phishing kit and online marketplace, facilitated the theft of thousands of credentials and enabled over $20 million in attempted fraud. The takedown involved seizing infrastructure and arresting the alleged developer. ### Website Seizure The website w3ll[.]store now displays a seizure message: "This Website Has Been Seized as part of a coordinated law enforcement action taken against **W3LL** STORE." The domain was seized by the **FBI** under a warrant issued by the United States District Court for the Northern District of Georgia.  *Seizure banner shown on the **W3LL** Store site Source: BleepingComputer* ### W3LL Phishing Kit Details The **W3LL** phishing kit, priced at $500, allowed cybercriminals to create convincing replicas of corporate login portals to harvest credentials. A key feature was its ability to capture authentication session tokens, effectively bypassing multi-factor authentication (MFA) and granting access to compromised accounts.  *W3LL Store and W3LL Panel administration Source: Group-IB* ### Marketplace for Stolen Credentials The **W3LLSTORE** marketplace served as a hub for buying and selling stolen credentials and unauthorized network access. According to authorities, over 25,000 compromised accounts were traded between 2019 and 2023. "This wasn't just phishing—it was a full-service cybercrime platform," stated **FBI** Special Agent in Charge Marlo Graham. Even after the shutdown of **W3LLSTORE**, the operation continued through encrypted messaging platforms, where the toolkit was rebranded and sold to other threat actors. Between 2023 and 2024, the phishing kit targeted over 17,000 victims worldwide, with the developer actively collecting and reselling access to compromised accounts. ### Targeting Microsoft 365 and BEC Attacks The **W3LL** phishing platform had been previously linked to campaigns targeting **Microsoft 365** corporate accounts and was designed to facilitate business email compromise (BEC) attacks from initial access to post-exploitation activities. ### Adversary-in-the-Middle Attacks The phishing kit employed adversary-in-the-middle (AitM) attacks, proxying legitimate login portals through the attacker's infrastructure. This allowed threat actors to monitor and intercept credentials, one-time MFA passcodes, and session cookies in real-time. The stolen session cookies enabled attackers to log into compromised accounts without triggering MFA challenges. Once inside, attackers would monitor inboxes, create email rules, and impersonate victims to commit invoice fraud and redirect payments in BEC attacks.