🔑 IAM

FBI and Indonesian Police Dismantle W3LL Phishing Platform Behind $20M in MFA-Bypass Fraud

The FBI Atlanta Field Office and Indonesia's National Police have dismantled the W3LL phishing-as-a-service platform, arresting its alleged developer and seizing domains used in a global credential-theft and MFA-bypass operation. W3LL targeted over 17,000 victims in Microsoft 365 environments, capturing not just passwords but session tokens that allowed attackers to bypass multi-factor authentication.

4 min read
#phishing#mfa-bypass#microsoft-365#adversary-in-the-middle#law-enforcement#credential-theft#session-hijacking

In the first coordinated enforcement action between the United States and Indonesia targeting a phishing kit developer, the FBI Atlanta Field Office and the Indonesian National Police have dismantled the W3LL phishing-as-a-service platform. The operation resulted in the arrest of the platform’s alleged developer, known as G.L., and the seizure of infrastructure underpinning a global credential theft operation that attempted over $20 million in fraud across thousands of victims.

How W3LL Worked

W3LL was not a simple phishing kit. It was a full-service cybercrime platform sold primarily through encrypted messaging channels for approximately $500, giving buyers everything needed to conduct sophisticated adversary-in-the-middle phishing attacks against Microsoft 365 environments.

The platform’s key capability was its MFA bypass mechanism. Rather than simply capturing a username and password, W3LL deployed a reverse proxy between the victim and the legitimate Microsoft login page. When a victim entered their credentials and completed MFA, the kit captured not just the password but the authenticated session token — giving the attacker full authenticated access to the Microsoft 365 account regardless of what MFA method was in use.

This technique — adversary-in-the-middle (AiTM) phishing — bypasses time-based one-time passwords (TOTP), SMS codes, and authenticator app prompts because the attack session completes a legitimate authentication flow and then steals the resulting session cookie.

Scale and Timeline

From 2023 to 2024 alone, W3LL was used to target more than 17,000 victims. The marketplace facilitated the sale of over 25,000 compromised accounts between 2019 and 2023. Even after the W3LLSTORE marketplace was shut down in a previous action, the operation continued through encrypted channels, with the toolkit rebranded and re-sold to other threat actors.

The development team provided customer support, regular updates to evade detection by Microsoft’s anti-phishing filters, and customisable templates impersonating dozens of brands beyond Microsoft.

Why This Matters for Enterprise Security Teams

The W3LL takedown is significant, but the platform’s capabilities represent a standard feature set that multiple competing phishing kits now offer. AiTM phishing that bypasses TOTP and SMS MFA is no longer an advanced technique — it is the commodity-level baseline for enterprise-targeted credential theft operations in 2026.

Specific implications:

  • TOTP and SMS MFA do not protect against AiTM phishing. An employee who completes MFA on a phishing page that proxies the real site still loses their session. Phishing-resistant MFA methods — FIDO2/WebAuthn hardware security keys and passkeys — are the only controls that technically prevent AiTM token theft.
  • Conditional Access policies must be calibrated for session risk. Binding access tokens to device compliance state and requiring re-authentication for high-sensitivity actions limits the useful lifetime of a stolen session.
  • $500 is the entry cost for a capable phishing operation. The economics of credential theft remain highly favourable to attackers.
  1. Evaluate your MFA stack against AiTM capability. TOTP apps and SMS codes are vulnerable to AiTM. FIDO2/WebAuthn passkeys and hardware security keys are not — begin migration planning for privileged accounts and high-risk user populations.
  2. Deploy Microsoft Entra ID’s Conditional Access token protection (token binding) where available — this cryptographically binds session tokens to the device, making stolen tokens non-replayable from a different device.
  3. Configure anomalous session location alerts in your SIEM or identity platform to flag logins from unexpected geographies or devices immediately after MFA completion.
  4. Run phishing-resistant MFA awareness for finance, HR, and executive teams — the targets most likely to be financially valuable to attackers using platforms like W3LL.
  5. Update email security rules to flag or quarantine emails containing login links to domains registered in the last 30 days, particularly those mimicking Microsoft or cloud authentication pages.

Share this article