FILE – The Federal Bureau of Investigation headquarters is seen, March 21, 2026, in Washington. (AP Photo/Tom Brenner, File)
In a first-of-its-kind joint cyber investigation, the Federal Bureau of Investigation (FBI) Atlanta Field Office and Indonesian law enforcement authorities recently dismantled a sophisticated global phishing operation that enabled cybercriminals to steal thousands of victims’ account credentials and attempt more than $20 million in fraud. The operation centered on the W3LL phishing kit, a widely used cybercrime tool that allowed criminals to impersonate legitimate login pages to trick victims into handing over their usernames and passwords. “This wasn’t just phishing—it was a full-service cybercrime platform,” said FBI Atlanta Special Agent in Charge Marlo Graham. “We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public.”
Notice on the seized website
The website of the operation, known as W3LL, displayed a notice saying it has been seized by the FBI. The bureau said it worked with Indonesia’s police in the takedown operation, which resulted in the detention of the alleged W3LL developer — identified only as G.L. — and the seizure of “key domains.”Millions of dollars lost across the globeThe tool was supported by an online marketplace called “W3LLSTORE.” The tool is said to be responsible for causing lot of financial damage to internet users across the world. The FBI estimates that the W3LL store housed more than 25,000 compromised accounts up through 2023 and the tool was used to compromise an additional 17,000 accounts in 2023 and 2024. Criminals stole, or attempted to steal, roughly $20 million in total. The tool was reportedly sold primarily by word of mouth, with a 10% commission for referrals and a third-party vendor program with a 70/30 split on profits. FBI also uncovered that the developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme.
What’s next cybercrime toolkit W3LL
The FBI took down the main kit, but cybersecurity analysts believe that this may not be the end of the road for W3LL. Sekoia IO, a European cybersecurity company specializing in software-as-a-service, has identified similar tools, such as Sneaky 2FA, which uses some W3LL source code. “This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service ‘Sneaky Log,’ which operates through a fully-featured bot on Telegram,” the company said in an analysis. Sekoia said the phishing pages are hosted on compromised infrastructure, mostly involving WordPress websites and other domains controlled by the attacker. The fake authentication pages are designed to automatically populate the victim’s email address to elevate their legitimacy.
Online scams globally by the numbers
$20 million: The amount of fraud attempts linked to the network. $500: The cost for a criminal to purchase access to the phishing kit. 25,000: The number of compromised accounts sold through the W3LLSTORE marketplace. 17,000: The number of victims targeted worldwide between 2023 and 2024.
