An international operation, coordinated between the FBI Atlanta Field Office and Indonesian law enforcement agencies has led to a taken down of a major phishing infrastructure that enabled cybercriminals worldwide to steal credentials and attempt fraud exceeding $20 million.

The crackdown targeted a cybercrime ecosystem built around the “W3LL phishing kit,” a tool designed to replicate legitimate login pages and harvest user credentials at scale. Authorities say the platform allowed attackers to compromise thousands of accounts and carry out widespread financial fraud.

More Than a Phishing Tool

Investigators describe W3LL not as a single piece of malware, but as a fully developed “phishing-as-a-service” operation. For a relatively low cost of around $500, cybercriminals could purchase access to the kit and launch highly convincing phishing campaigns with minimal technical expertise.

The service was supported by an underground marketplace known as W3LLSTORE, where stolen credentials were bought and sold. Between 2019 and 2023, more than 25,000 compromised accounts were traded through the platform.

Even after the marketplace was shut down, the operation continued through private and encrypted channels, allowing it to evolve and remain active.

Also read: New Phishing Kit ‘FishXProxy’ Aims To Be ‘Ultimate Powerful Phishing Kit’

Built for Corporate Account Takeovers

According to research by Group-IB, the W3LL ecosystem was specifically designed to target corporate environments, particularly business email systems such as Microsoft 365.

The toolkit included a range of capabilities beyond simple phishing pages, forming an end-to-end attack chain. These included tools for:

• Sending large-scale phishing emails
• Harvesting and validating email accounts
• Hosting malicious infrastructure
• Managing stolen credentials

Group-IB estimates that around 500 threat actors were actively using W3LL tools, turning the platform into a structured cybercrime network rather than a loose collection of attackers.

Bypassing Multi-Factor Authentication

One of the most dangerous aspects of the W3LL kit was its use of adversary-in-the-middle (AitM) techniques. This allowed attackers to intercept login sessions in real time, capturing not just usernames and passwords but also authentication tokens.

As a result, even accounts protected by multi-factor authentication (MFA) could be compromised, giving attackers persistent access to corporate systems.

Security researchers say this capability made W3LL particularly effective in business email compromise (BEC) attacks—one of the most financially damaging forms of cybercrime today.

Global Scale and Impact

The phishing kit was used in attacks targeting organizations across multiple industries, including finance, healthcare, manufacturing, and IT services.

Data suggests that tens of thousands of corporate accounts were targeted globally, with a significant concentration of victims in the United States, followed by Europe and Australia.

Between 2023 and 2024 alone, the infrastructure was linked to more than 17,000 phishing attempts worldwide.

Arrest and Infrastructure Seizure

As part of the operation, authorities seized domains and infrastructure used to distribute the phishing kit and facilitate credential theft. Indonesian police also detained the suspected developer behind the platform, identified only as “G.L.”

Officials say this marks a significant step in targeting not just users of cybercrime tools, but the developers who enable large-scale attacks.