Law enforcement agencies have successfully disrupted the **W3LL** phishing platform, a tool that enabled cybercriminals to create realistic fake websites for credential harvesting. ### International Cooperation Leads to Takedown The **FBI**'s Atlanta office announced the seizure of infrastructure supporting the phishing service. Simultaneously, the Indonesian National Police apprehended the individual believed to be the platform's developer, identified only as G.L., and confiscated crucial domains associated with **W3LL**. "This wasn’t just phishing — it was a full-service cybercrime platform," stated Marlo Graham, a special agent in charge at **FBI** Atlanta, highlighting the comprehensive nature of the threat. ### W3LL's Modus Operandi The **W3LL** platform allowed attackers to trick victims into entering their credentials into spoofed login portals. These stolen credentials were then used to bypass multi-factor authentication (MFA), granting cybercriminals persistent access to compromised accounts. The **FBI** revealed that the phishing kit was supported by an online marketplace called **W3LLSTORE**, which traded in compromised login details and remote desktop credentials. ### Scale of the Operation Between 2019 and 2023, **W3LLSTORE** reportedly advertised over 25,000 compromised accounts for sale, facilitating the theft of credentials and enabling fraud attempts exceeding $20 million. **Group IB** researchers reported that the platform catered to a closed community of at least 500 threat actors, offering a custom phishing kit called **W3LL Panel** designed to bypass MFA, along with 16 other tools for business email compromise (BEC) attacks. According to **Group-IB**, **W3LL**'s phishing tools targeted over 56,000 corporate **Microsoft 365** accounts in the USA, UK, Australia, and Europe between October 2022 and July 2023. The researchers estimate that **W3LL**'s earnings likely reached half a million dollars in the last 10 months of operation. ### Persistence and Evolution Despite the shutdown of **W3LLSTORE** in 2023, the platform continued to operate through encrypted messaging services. Cybercriminals continued marketing the tool, which was used in attacks targeting 17,000 victims globally between 2023 and 2024. ### Rise of Cyber-Enabled Fraud The **FBI** recently reported a surge in cyber-enabled fraud, accounting for the majority of losses reported to their Internet Crime Complaint Center (**IC3**) in 2025, with a staggering $17.6 billion stolen. This takedown follows the **FBI**'s recent actions against other cybercrime platforms, including **Leakbase** and the Russian marketplace **RAMP**. In December, the **FBI** also collaborated with Nigerian police to arrest a developer behind the **RaccoonO365** phishing kit, which, similar to **W3LLSTORE**, was used to create fake **Microsoft** login portals for credential harvesting.