FBI, Indonesian police dismantle W3LL phishing network that stole 17,000 accounts
A $500 phishing kit let criminals mimic Microsoft 365 logins, steal MFA codes and hit more than 17,000 victims worldwide before a U.S.-Indonesia takedown.

A phishing kit sold for about $500 helped cybercriminals steal passwords, multi-factor authentication codes and session data from more than 17,000 victims worldwide, driving more than $20 million in attempted fraud before authorities moved to shut it down. The FBI Atlanta Field Office and Indonesian National Police said they dismantled the W3LL network on April 10, detained the alleged developer, identified only as G.L., and seized infrastructure tied to the operation in what the bureau called the first coordinated action against a phishing kit developer between the United States and Indonesia.
The scheme worked because it did not stop at fake login screens. Investigators said W3LL was built to imitate legitimate Microsoft 365 pages, capture usernames and passwords, and then harvest session data that could bypass multi-factor authentication. That approach reflects a broader shift in credential theft: attackers no longer need only a password if they can steal the active session after a user logs in. W3LL also operated through W3LLSTORE, a marketplace that allegedly facilitated the sale of more than 25,000 compromised accounts between 2019 and 2023 and kept moving through encrypted messaging platforms after a 2023 shutdown.
Group-IB first documented W3LL in September 2023 and said the operator behind it had likely been active since at least 2017. By the time the toolkit was mapped, it was already being used against a global pool of targets from 2023 to 2024, with more than 17,000 victims identified. The scale mattered because the kit lowered the barrier to entry for criminals: anyone willing to pay the fee could buy a ready-made service for impersonating Microsoft 365, intercepting credentials and extracting access that looked legitimate to security systems.

Marlo Graham, the FBI Atlanta Special Agent in Charge, called W3LL a “full-service cybercrime platform” and said the bureau would keep working with domestic and foreign partners to protect the public. The takedown cuts off a major resource for attackers, but it does not erase the damage already done to compromised accounts, reused passwords and stored session tokens that may still be circulating.
For businesses and ordinary users, the warning signs are blunt: treat unexpected login pages, repeated sign-in prompts and requests that do not match a normal Microsoft 365 workflow as potential theft attempts. Security teams should move away from password-based trust, adopt phishing-resistant authentication, revoke active sessions after suspected compromise and review account logs for suspicious access. The W3LL case shows how cheaply credential theft can be industrialized, and how much exposure remains when MFA is built on methods criminals can still intercept.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?

