The FBI Atlanta Field Office and Indonesian authorities have dismantled the "W3LL" global phishing platform, seizing infrastructure and arresting the alleged developer in what is described as the first coordinated enforcement action between the United States and Indonesia targeting a phishing kit developer.

The W3ll Store was a phishing kit and online marketplace that enabled cybercriminals to steal thousands of credentials and attempt more than $20 million in fraud. 

"This Website Has Been Seized as part of a coordinated law enforcement action taken against W3LL STORE," reads a seizure message on w3ll[.]store website.

"The domain for w3ll.store has been seized by the Federal Bureau of Investigation in accordance with a seizure warrant issued pursuant to 18 U.S.C. §§ 981 and 982 by the United States District Court for the Northern District of Georgia as part of a joint law enforcement action by the Federal Bureau of Investigation."

The W3LL phishing kit sold for $500 and allowed attackers to create convincing replicas of corporate login portals to harvest credentials.  The kit allowed threat actors to capture authentication session tokens, enabling attackers to bypass multi-factor authentication and gain access to compromised accounts.

The threat actor also offered a marketplace called W3LLSTORE, where stolen credentials and unauthorized network access were bought and sold. 

"This wasn't just phishing—it was a full-service cybercrime platform," said FBI Special Agent Charge Marlo Graham. 

Authorities say the marketplace facilitated the sale of more than 25,000 compromised accounts between 2019 and 2023, and even after W3LLSTORE shut down, the operation continued through encrypted messaging platforms, where the toolkit was rebranded and sold to other threat actors.

Between 2023 and 2024, the phishing kit was used to target more than 17,000 victims worldwide, with investigators finding that the developer collected and resold access to compromised accounts. 

The W3LL phishing platform was previously linked to campaigns targeting Microsoft 365 corporate accounts and was designed to support business email compromise (BEC) attacks from initial access through post-exploitation.

The phishing kit relied on adversary-in-the-middle attacks, which is when legitimate login portals are proxied through an attacker's infrastructure.

This allows the threat actors to monitor for and intercept credentials, one-time MFA passcodes, and session cookies in real time. These session cookies could then be used to log into the compromised accounts without triggering MFA authentication challenges.

Once access was obtained, attackers would monitor inboxes, create email rules, and impersonate victims to commit invoice fraud and redirect payments in BEC attacks.