The FBI says it “dismantled” the W3LL phishing operation that allegedly targeted more than 17,000 victims worldwide. The scheme used a phishing kit to mimic login pages and steal passwords and MFA codes, leading to detention of the alleged developer and seizure of key domains.

The FBI announced the takedown of the W3LL phishing operation, describing it as a coordinated dismantling of the infrastructure used to steal credentials at scale. According to the report, the campaign targeted more than 17,000 victims worldwide by deploying a phishing kit that imitated legitimate login pages. Victims who entered their information were allegedly prompted to provide not only passwords, but also multi-factor authentication (MFA) codes, enabling attackers to bypass additional protections. The announcement also states that the takedown included the detention of the alleged developer and the seizure of key domains associated with the operation. The case highlights how phishing kits can bundle realistic branding and workflows to capture sensitive authentication material quickly, converting stolen credentials into immediate account access. For organizations and individuals, the exposure risk underscores the need for phishing-resistant authentication controls, rapid incident reporting, domain monitoring, and user training aimed at recognizing deceptive login prompts.