FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts

Summary

The FBI and Indonesian National Police dismantled a global phishing operation leveraging the W3LL toolkit, which stole thousands of credentials and attempted over $20M in fraud. The alleged developer G.L was detained and key domains were seized. The W3LL phishing kit, sold for ~$500, enabled criminals to harvest credentials via fake login pages and had been actively used to target 17,000+ victims worldwide from 2023-2024.

Full text

FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts Ravie LakshmananApr 13, 2026Cybercrime / Threat Intelligence The U.S. Federal Bureau of Investigation (FBI), in partnership with the Indonesian National Police, has dismantled the infrastructure associated with a global phishing operation that leveraged an off-the-shelf toolkit called W3LL to steal thousands of victims' account credentials and attempt more than $20 million in fraud. In tandem, authorities detained the alleged developer, who has been identified as G.L, and seized key domains linked to the phishing scheme. "The takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims' accounts," the FBI said in a statement. The W3LL phishing kit allowed criminals to mimic legitimate login pages to deceive victims into handing over their credentials, thus allowing the attackers to seize control of their accounts. The phishing kit was advertised for a fee of about $500. The phishing kit enabled its customers to deploy bogus websites that mimicked their legitimate counterparts, masquerading as trusted login portals to harvest credentials. "This wasn't just phishing – it was a full-service cybercrime platform," FBI Atlanta Special Agent in Charge Marlo Graham said. "We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public." W3LL was first documented by Singapore-headquartered Group-IB in September 2023, highlighting the operators' use of an underground marketplace called the W3LL Store that served approximately 500 threat actors and allowed them to purchase access to the W3LL Panel phishing kit alongside other cybercrime tools for business email compromise (BEC) attacks. The cybersecurity company described W3LL as an all-in-one phishing platform that offers a wide range of services, right from custom phishing tools and mailing lists to access to compromised servers. The threat actor behind the illicit service is believed to have been active since 2017, previously developing bulk email spam tools like PunnySender and W3LL Sender. Per the FBI, the W3LL Store also facilitated the sale of stolen credentials and unauthorized system access, including remote desktop connections. More than 25,000 compromised accounts are estimated to have been peddled in the storefront between 2019 and 2023. "Primarily focused on Microsoft 365 credentials, W3LL utilizes adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication," Hunt.io said in a report published in March 2024. Then last year, French security company Sekoia, in its analysis of another phishing kit known as Sneaky 2FA, revealed the tool "reused a few bits of code" from the W3LL Store phishing syndicate, adding that cracked versions of W3LL have been circulated in the past few years. "Even after W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed," the FBI said. "From 2023 to 2024 alone, the phishing kit was used to target more than 17,000 victims worldwide." "The developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  business email compromise, Cybercrime, cybersecurity, data breach, identity theft, law enforcement, Malware, Microsoft 365, Phishing, Threat Intelligence Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• malware — W3LL
• malware — W3LL Sender
• malware — PunnySender
• malware — Sneaky 2FA

Entities