### International Cooperation Leads to Phishing Infrastructure Takedown The U.S. **Federal Bureau of Investigation (FBI)**, working with the Indonesian National Police, has successfully dismantled the infrastructure of a global phishing operation. This operation utilized an off-the-shelf toolkit called **W3LL** to pilfer account credentials and attempt over $20 million in fraudulent activities. Authorities have also detained the alleged developer, identified as G.L., and seized crucial domains associated with the phishing scheme. According to an **FBI** statement, "The takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims' accounts." ### W3LL Phishing Kit: A Cybercrime Platform The **W3LL** phishing kit enabled criminals to create realistic replicas of legitimate login pages, tricking victims into divulging their credentials and allowing attackers to seize control of their accounts. This kit was reportedly sold for around $500. "This wasn't just phishing – it was a full-service cybercrime platform," stated **FBI** Atlanta Special Agent in Charge Marlo Graham. "We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public." ### The W3LL Store and its Impact **Group-IB** first documented **W3LL** in September 2023, detailing the operators' use of the **W3LL Store**, an underground marketplace serving approximately 500 threat actors. This marketplace allowed them to purchase access to the **W3LL** Panel phishing kit and other cybercrime tools for business email compromise (BEC) attacks. **W3LL** was described as an all-in-one phishing platform offering custom tools, mailing lists, and access to compromised servers. The threat actor behind this service is believed to have been active since 2017, previously developing bulk email spam tools like PunnySender and **W3LL** Sender. According to the **FBI**, the **W3LL Store** also facilitated the sale of stolen credentials and unauthorized system access, including remote desktop connections. It is estimated that over 25,000 compromised accounts were peddled in the storefront between 2019 and 2023. ### Technical Details and Persistence **Hunt.io** noted in a March 2024 report that **W3LL** primarily targeted **Microsoft 365** credentials, using adversary-in-the-middle (AitM) techniques to hijack session cookies and bypass multi-factor authentication. French security company **Sekoia**, in its analysis of the **Sneaky 2FA** phishing kit, revealed that the tool reused code from the **W3LL Store** syndicate. Cracked versions of **W3LL** have also circulated in recent years. Despite the **W3LL Store** shutting down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed. From 2023 to 2024 alone, the phishing kit targeted over 17,000 victims worldwide. The **FBI** emphasized that "The developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme."