Cybercrime is a big business, driving nearly $21 billion in fraud and theft in 2026 alone. The FBI and the Indonesian National Police took a chunk out of that late last week when the pair took down infrastructure vital to the W3LL phishing kit, a piece of software that could steal someone’s account credentials and data to bypass multi-factor authentication. 

The W3LL phishing kit was best known for targeting Microsoft 365 accounts, but a crook could purchase it for $500 online and target any number of services. They could then deploy a website that captures a user’s login information and session data, giving the criminal access to the account without going through multi-factor authentication. 

Read more: Best Password Manager in 2025

The cybersecurity firm Group-IB, which first documented the W3LL phishing kit in 2023, described it as an all-in-one phishing tool capable of making custom phishing tools, providing email lists, and granting access to compromised servers. Its developer also made a couple of bulk email spam tools called PunnySender and W3LL Sender before the W3LL phishing kit, and has been active in cybercrime since at least 2017. 

“This wasn’t just phishing — it was a full-service cybercrime platform,” FBI Atlanta Special Agent in Charge Marlo Graham said in a press release. 

Watch this: Your Phone is Disgusting: Let’s Fix That

05:07

Representatives for the FBI and Group-IB did not immediately respond to requests for comment.

According to the FBI, the kit was available in the W3LL marketplace from 2019 until the store closed in 2023. The developer, known publicly as G.L, continued selling the kit and compromised account details over encrypted messaging platforms. The FBI said authorities detained a suspect believed to be G.L. 

Read more: Anthropic Says Its New AI Model Is So Good at Finding Security Risks, You Can’t Use It

The tool is responsible for quite a lot of damage. The FBI estimates that the W3LL store housed more than 25,000 compromised accounts up through 2023 and the tool was used to compromise an additional 17,000 accounts in 2023 and 2024. Criminals stole, or attempted to steal, roughly $20 million in total. 

Cybercriminals who purchased the kit had access to customer service, including a ticketing system and web chat. Those who weren’t particularly tech savvy also had tutorial videos showing how to use the tool to craft fake websites and steal credentials. The tool was sold primarily by word of mouth, with a 10% commission for referrals and a third-party vendor program with a 70/30 split on profits. 

The FBI took down the main kit, but it may not be the end of the road for W3LL. Sekoia IO, a European cybersecurity company specializing in software-as-a-service, has identified similar tools, such as Sneaky 2FA, which uses some W3LL source code. Cracked versions of W3LL have also been circulating online for years.