- FBI & Indonesian police detain suspect behind W3LL phishing kit
- Kit enabled spoofed sites, credential theft, $20M fraud attempts
- Infrastructure and domains seized, cutting off major cybercrime resource
The FBI has revealed it worked together with the Indonesian National Police in the takedown of a major global phishing platform.
The bureau said it detained an individual with the initials G.L., suspected of operating the W3LL phishing kit. The kit, costing around $500, allowed other cybercriminals to quickly and easily create spoofed websites, as well as phishing emails.
Through the combination of the two, the miscreants were able to steal people’s login credentials, opening the door to financial fraud, with the attackers attempting to defraud victims for more than $20 million through the platform.
W3LL well well
"This wasn’t just phishing—it was a full-service cybercrime platform," said FBI Atlanta Special Agent in Charge Marlo Graham. "We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public."
Besides the W3LL kit, the cybercriminal also ran an online marketplace called W3LLSTORE, between 2019 and 2023, where other crooks were allowed to buy and sell stolen login credentials, among other things.
Until its shutdown in 2023, the store facilitated the sale of more than 25,000 compromised accounts, the FBI said. Following the shutdown, the platform rebranded and was actively marketed over encrypted messaging platforms, and used to target more than 17,000 victims worldwide.
In the operation, law enforcement “identified and seized infrastructure facilitating the phishing service”, as well as “key domains tied to the operation.”
“The takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims’ accounts,” the law enforcement agency said.
International law enforcement agencies have been on the hunt for phishing kits for a little while now.
In early March 2026, Europol and Microsoft took down Tycoon 2FA, one of the largest phishing-as-a-service (PhaaS) platforms in the world. Before that, Europol said it took down LabHost, a phishing kit that provided infrastructure for hosting pages, interactive functionality for directly engaging with victims, and campaign overview services, for a monthly fee of, on average, $249.
