The Federal Bureau of Investigation (FBI) said on April 10 that it has dismantled a global phishing operation while working with Indonesian authorities in what officials described as a first-of-its-kind joint cyber investigation.
The takedown, led by the FBI’s Atlanta Field Office, targeted what the office called a “sophisticated global phishing operation” that allegedly enabled cybercriminals to steal account credentials and “attempt more than $20 million in fraud.”
At the center of the operation was the W3LL phishing kit, a cybercrime tool that allowed users to create fake websites designed to mimic legitimate login pages and trick victims into entering their usernames and passwords.
The phishing kit sold for about $500, giving criminals access to tools that could capture not only login credentials but also session data, and enable them to bypass multi-factor authentication and maintain access to compromised accounts, the FBI said.
The W3LL website was seized by the FBI as part of the takedown effort.
“This wasn’t just phishing – it was a full-service cybercrime platform,” said Marlo Graham, special agent in charge of FBI Atlanta.
“We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public,” Graham said.
The phishing operation allegedly was supported by an online marketplace known as W3LLSTORE, where users could buy and sell stolen credentials and unauthorized system access, including remote desktop connections.
Between 2019 and 2023, the marketplace facilitated the sale of more than 25,000 compromised accounts, the FBI alleged.
Even after W3LLSTORE shut down in 2023, the scheme continued through encrypted messaging platforms, where the phishing kit was rebranded and marketed to criminals. From 2023 to 2024, the tool was used to target more than 17,000 victims worldwide, according to the FBI.
Investigators found that the developer behind the phishing kit also collected and resold access to compromised accounts, expanding the scale and reach of the operation.
Authorities identified and seized infrastructure supporting the service and detained the alleged developer with assistance from Indonesian law enforcement.
The FBI credited the Indonesian National Police for its critical role in the investigation, noting that the case marked the first coordinated action between the United States and Indonesia targeting a phishing kit developer and significantly disrupted a major tool used by cybercriminals worldwide.