FBI and Indonesian authorities dismantle W3LL phishing platform, arrest developer

The FBI Atlanta Field Office and Indonesian The W3LL Store operated as both a phishing kit marketplace and a platform for buying and selling stolen credentials, enabling cybercriminals to attempt more than $20 million in fraud. The phishing kit sold for $500 and allowed attackers to create convincing replicas of corporate login portals. It captured authentication session tokens, enabling attackers to The W3LLSTORE marketplace facilitated the sale of more than 25,000 compromised accounts between 2019 and 2023, according to investigators. After the marketplace was shut down, the operation continued through encrypted messaging platforms, where the toolkit was rebranded and sold to other threat actors. Between 2023 and 2024, the phishing kit was used to target more than 17,000 victims worldwide, and the developer collected and resold access to compromised accounts. FBI Special Agent in Charge Marlo Graham called the operation a "full-service cybercrime platform." The platform was linked to campaigns targeting Microsoft 365 corporate accounts and was designed to support business email compromise attacks. Using adversary-in-the-middle techniques, attackers proxied legitimate login portals through their own infrastructure, intercepting credentials, one-time passcodes, and session cookies in real time to commit invoice fraud and redirect payments.