The FBI Atlanta Field Office and the Indonesian National Police have taken down a global phishing operation tied to more than $20 million in attempted fraud, according to authorities. The action included infrastructure seizures and the detention of a suspected developer linked to a widely used phishing kit.
Investigators say the operation was built around a tool known as the W3LL phishing kit, which allowed cybercriminals to create convincing replicas of legitimate login pages. The service was sold for about $500, providing buyers with a ready-to-use method to steal usernames and passwords from targeted victims.
W3LLSTORE
Authorities describe the operation as a full-service cybercrime platform rather than a single tool. The kit was supported by an online marketplace called W3LLSTORE, where stolen credentials were bought and sold. Between 2019 and 2023, the marketplace facilitated the sale of more than 25,000 compromised accounts.
After W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms. Law enforcement says the service was rebranded and distributed privately, allowing it to remain active and reach new users despite the closure of its public marketplace.
From 2023 to 2024, the phishing kit was used in more than 17,000 attacks worldwide. Group-IB’s findings in September 2023 linked the platform to campaigns targeting corporate environments, including Microsoft 365 accounts, in which attackers attempted to bypass authentication protections and gain persistent access.
Worldwide Victims
According to Group-IB, activity was heavily concentrated in a few key countries while still reaching targets worldwide, with the United States accounting for more than half of the identified cases.
At the same time, the attacks targeted multiple industries, with manufacturing, technology, and professional services among the most affected. Here’s a breakdown of the countries targeted by the W3LL phishing kit powered by W3LLSTORE marketplace, based on data from Group-IB:
- United States, 56.9%
- United Kingdom, 6.9%
- Australia, 4.6%
- Germany, 2.6%
- Canada, 2.1%
- France, 2.1%
- Netherlands, 2.0%
- Switzerland, 1.8%
- Italy, 1.6%
- Other regions, 19.4%
The Seizure
On April 10, 2026, authorities announced the seizure of domains tied to the operation, disrupting both the sale of the phishing kit and the distribution of stolen data. The alleged developer, identified only as G.L., was detained in Indonesia. Officials have not released further details about their identity.
“FBI Atlanta Field and Indonesian law enforcement authorities have dismantled a global phishing operation that enabled cybercriminals to steal thousands of victims’ account credentials and attempt more than $20 million in fraud.”
FBI Atlanta
Law enforcement officials said the case reflects a coordinated effort to target not only users of phishing tools but also the developers who supply them. By removing the infrastructure behind the service, investigators aim to disrupt multiple criminal operations at once.
The case also shows that phishing kits made it easier for cyber criminals, even script kiddies, to carry out scams like professionals. With ready-made malicious tools available at relatively low cost, attackers can launch large-scale campaigns without advanced technical skills, increasing the volume and reach of credential theft worldwide.
Click Here For The Original Source.
