FBI and Indonesia take down W3LL phishing platform, arrest developer

The FBI’s Atlanta Field Office partnered with Indonesian authorities to dismantle the W3LL phishing operation and arrest its alleged developer - the first joint US-Indonesia enforcement action targeting a phishing kit creator. The platform sold a $500 toolkit that let attackers clone corporate login portals and steal credentials at scale, with built-in adversary-in-the-middle capability to intercept MFA tokens and session cookies in real time.

The operation was more than a phishing kit - it included a full marketplace (W3LLSTORE) where compromised credentials and network access were traded. Authorities estimate over 25,000 accounts were sold between 2019 and 2023, and even after the storefront shut down, the developer continued distributing rebranded tools through encrypted channels. Between 2023 and 2024 alone, the kit was used against 17,000 additional victims.

W3LL had been previously tied to campaigns targeting Microsoft 365 corporate accounts, specifically enabling business email compromise. Attackers would use stolen session cookies to bypass MFA, monitor inboxes, set up mail rules, and impersonate victims to redirect payments - a textbook BEC pipeline from initial phish to financial fraud.