CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Disruption of W3LL phishing ecosystem linked to $20 million in fraud

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

US and Indonesian authorities dismantled the W3LL phishing platform in a coordinated takedown, seizing infrastructure and arresting the alleged developer responsible for a modular phishing kit that facilitated over $20 million in fraud. The operation targeted a full-service cybercrime platform that enabled credential harvesting via spoofed Microsoft 365 login pages, allowed bypassing multi-factor authentication through adversary-in-the-middle techniques, and supported business email compromise (BEC) attacks from initial access through post-exploitation. The W3LL ecosystem operated from 2019 to 2023 as a members-only marketplace before persisting through encrypted channels, with operations spanning over 17,000 victims globally between 2023 and 2025.

Timeline

  1. 13.04.2026 13:35 2 articles · 1d ago

    W3LL phishing operation disrupted after global law enforcement takedown

    US and Indonesian authorities dismantled the W3LL phishing network, seizing the w3ll.store domain, arresting the alleged developer, and confirming the platform’s operation as a full-service cybercrime ecosystem. The kit enabled adversary-in-the-middle credential harvesting, bypassed multi-factor authentication via session cookie theft, and supported business email compromise (BEC) from initial access through post-exploitation. The ecosystem persisted post-marketplace shutdown via encrypted messaging channels with rebranded toolkit variants sold to additional threat actors.

    Show sources
    Open in new tab

Information Snippets

  • W3LL phishing kit enabled credential harvesting via spoofed Microsoft 365 login pages and other services.

    First reported: 13.04.2026 13:35
    2 sources, 2 articles
    Show sources

  • W3LL Store operated as a members-only marketplace from 2019 to 2023, with over 500 active users and 12,000+ items listed at one point.

    First reported: 13.04.2026 13:35
    1 source, 1 article
    Show sources

  • The FBI identified the alleged developer behind W3LL, publicly referenced as ‘G.L.’, and seized the w3ll.store domain.

    First reported: 13.04.2026 13:35
    2 sources, 2 articles
    Show sources

  • W3LL Store reportedly generated $500,000 in revenue for the actor over a 10-month period during its operation.

    First reported: 13.04.2026 13:35
    1 source, 1 article
    Show sources

  • Group-IB reported the W3LL ecosystem had been linked to 850 phishing sites during its active period.

    First reported: 13.04.2026 13:35
    1 source, 1 article
    Show sources

  • Investigators estimate over 25,000 compromised accounts were sold via W3LL Store until its 2023 shutdown.

    First reported: 13.04.2026 13:35
    1 source, 1 article
    Show sources

  • The takedown involved the FBI Atlanta field office in collaboration with Indonesian law enforcement authorities.

    First reported: 13.04.2026 13:35
    2 sources, 2 articles
    Show sources

  • W3LL phishing kit enabled adversary-in-the-middle attacks by proxying legitimate corporate login portals through attacker-controlled infrastructure to harvest credentials, MFA tokens, and session cookies in real time.

    First reported: 13.04.2026 21:55
    1 source, 1 article
    Show sources

  • Seized infrastructure included the w3ll.store domain, and the alleged developer was arrested in a coordinated US-Indonesia operation.

    First reported: 13.04.2026 21:55
    1 source, 1 article
    Show sources

  • Post-marketplace shutdown, the W3LL toolkit continued operating via encrypted messaging channels with rebranded versions sold to additional threat actors.

    First reported: 13.04.2026 21:55
    1 source, 1 article
    Show sources

  • W3LL phishing kit specifically supported business email compromise (BEC) attacks from initial access through post-exploitation, including inbox monitoring and fraudulent email rule creation.

    First reported: 13.04.2026 21:55
    1 source, 1 article
    Show sources

Similar Happenings

Tycoon2FA Phishing-as-a-Service Takedown

Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that bypassed MFA using adversary-in-the-middle techniques, resumed operations at pre-disruption levels within days of a March 4, 2026 global takedown, despite initial reductions in campaign volumes. The platform, active since August 2023, offered subscription-based access for bypassing multi-factor authentication, targeting major services like Microsoft 365 and Google. It was linked to over 64,000 phishing incidents and facilitated unauthorized access to nearly 100,000 organizations globally by mid-2025. The primary operator, identified as 'SaaadFridi' and 'Mr_Xaad,' remains at large. The platform’s infrastructure relied on adversary-in-the-middle techniques, AI-generated decoy pages, and short-lived domains to evade detection, while customers employed tactics like ATO Jumping to distribute phishing URLs. The takedown involved Europol’s EC3 and law enforcement from six European countries. Following the disruption, Tycoon2FA rapidly recovered to pre-disruption operational levels, with daily campaign volumes returning to early 2026 levels by March 6. Post-compromise activities included business email compromise (BEC), email thread hijacking, cloud account takeovers, and malicious SharePoint links. Old infrastructure remained active after the disruption, while new phishing domains and IP addresses were registered quickly. Operators continued using unchanged TTPs, including compromised domains, legitimate cloud services, and IPv6-based automated logins, underscoring the resilience of the PhaaS model without arrests or physical seizures.

Open in new tab

JokerOTP MFA phishing-as-a-service dismantled, third suspect arrested

The Netherlands Police arrested a 21-year-old man from Dordrecht for selling access to the JokerOTP phishing automation tool, which intercepts one-time passwords (OTPs) to hijack accounts. The arrest is part of a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025. The service caused at least $10 million in financial losses across 28,000 attacks in 13 countries. The seller advertised access via Telegram, allowing cybercriminals to automate calls to victims and capture sensitive data. The tool targeted users of PayPal, Venmo, Coinbase, Amazon, and Apple. The investigation is ongoing, with dozens of buyers identified for prosecution.

Open in new tab

Multi-Stage AitM Phishing and BEC Campaigns Target Energy Sector

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

Open in new tab

Storm-2657 Targets University HR Employees in Payroll Hijacking Campaign

A cybercrime gang, Storm-2657, has been targeting university employees in the United States since March 2025 to hijack salary payments. The attackers have successfully compromised 11 accounts at three universities, sending phishing emails to nearly 6,000 email accounts across 25 universities. The campaign, codenamed Payroll Pirates, exploits a lack of multifactor authentication (MFA) or phishing-resistant MFA to compromise Workday accounts and other third-party HR SaaS platforms. The attackers use sophisticated social engineering tactics and adversary-in-the-middle (AITM) links to steal MFA codes, enabling them to gain access to Exchange Online accounts. Once inside, they alter salary payment configurations and redirect payments to accounts under their control. The attackers also create inbox rules to delete incoming warning notification emails from Workday and enroll their own phone numbers as MFA devices for victim accounts. The compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities. The attacks have been ongoing since March 2025, with Microsoft identifying affected customers and providing mitigation guidance. The campaign has been observed targeting a range of U.S.-based organizations, particularly in the higher education sector, and any software-as-a-service (SaaS) platform storing HR or payment and bank account information.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. Authorities in Nigeria have arrested three individuals linked to the RaccoonO365 phishing-as-a-service (PhaaS) scheme, including Okitipi Samuel, also known as Moses Felix, identified as the principal suspect and developer of the phishing infrastructure. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) collaborated with Microsoft and the FBI in the investigation, seizing laptops, mobile devices, and other digital equipment linked to the operation. The stolen data was used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks. The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The authorities identified individuals who administered the phishing toolkit 'Raccoon0365,' which automated the creation of fake Microsoft login pages for credential theft. The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September. It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria. One of the arrested suspects is an individual named Okitipi Samuel, also known online as 'RaccoonO365' and 'Moses Felix,' whom the police believe is the developer of the phishing platform. Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials. The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months. Cloudflare estimates that the service is used primarily by Russia-based cybercriminals. Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation. The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

Open in new tab