The Federal Bureau of Investigation (FBI), in coordination with Indonesian law enforcement authorities, has dismantled the infrastructure behind the W3LL phishing kit, a phishing-as-a-service platform allegedly used by cybercriminals worldwide to steal account credentials and facilitate more than $20 million in attempted fraud. The coordinated crackdown also led to the arrest of the alleged developer behind the tool and seizure of domains connected to the operation.
W3LL Sold as Ready-Made Phishing Tool for $500
According to investigators, the W3LL phishing kit was marketed for approximately $500 and allowed buyers to create fake login portals that closely mimicked legitimate websites. Victims who entered their credentials into these spoofed pages unknowingly handed over usernames, passwords, and session data to attackers.
Authorities said the stolen session data enabled threat actors to bypass multi-factor authentication protections and maintain unauthorized access to compromised accounts. The phishing infrastructure was reportedly designed to support large-scale credential theft campaigns targeting thousands of users globally.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
FBI Calls It a ‘Full-Service Cybercrime Platform’
Law enforcement officials described W3LL as more than a basic phishing toolkit, characterizing it as a sophisticated cybercrime ecosystem.
FBI Atlanta Special Agent in Charge Marlo Graham said: “This wasn’t just phishing—it was a full-service cybercrime platform.”
The phishing kit was reportedly connected to an underground marketplace known as W3LLSTORE, where threat actors bought and sold stolen credentials, remote desktop access, and unauthorized entry to compromised systems. Investigators estimate that more than 25,000 compromised accounts were traded through the platform between 2019 and 2023.
Operation Continued After Marketplace Shutdown
Although W3LLSTORE reportedly shut down in 2023, authorities said the cybercriminal operation continued through encrypted messaging channels, where the phishing tool was rebranded and promoted to new users.
Between 2023 and 2024, the W3LL phishing kit was allegedly used in campaigns targeting more than 17,000 victims worldwide. Investigators further alleged that the developer behind the platform collected and resold access to compromised accounts, expanding the impact of the operation.
International Cooperation Led to Arrest and Domain Seizure
The FBI stated that its Atlanta Field Office, with assistance from the U.S. Attorney’s Office for the Northern District of Georgia, identified and seized the infrastructure supporting the phishing platform. Indonesian National Police detained the alleged developer, identified only as G.L., and confiscated key domains linked to the service.
Officials described the investigation as the first coordinated enforcement action between the United States and Indonesia specifically targeting a phishing kit developer. Authorities said the takedown cuts off a major cybercrime resource used by threat actors to gain unauthorized access to victims’ online accounts.
