FBI Atlanta and Indonesian National Police Take Down W3LLSTORE Phishing Marketplace

Summary

FBI Atlanta and Indonesian National Police shut down W3LLSTORE, a global phishing-as-a-service marketplace that facilitated over $20 million in attempted fraud since 2019. The operation centered on the W3LL phishing kit (sold for ~$500), which enabled criminals to create fake login pages and steal credentials; between 2023–2024 alone, the kit was used in over 17,000 attacks targeting Microsoft 365 and other corporate accounts. Authorities seized domains and detained the suspected developer (identified as G.L.) in Indonesia, disrupting both the kit's sale and stolen credential distribution.

Full text

Cyber Crime Phishing ScamFBI Atlanta and Indonesian National Police Take Down W3LLSTORE Phishing Marketplace FBI Atlanta and Indonesian National Police dismantle W3LLSTORE phishing market linked to $20M fraud, seizing domains and detaining developer. byWaqasApril 12, 20262 minute read The FBI Atlanta Field Office and the Indonesian National Police have taken down a global phishing operation tied to more than $20 million in attempted fraud, according to authorities. The action included infrastructure seizures and the detention of a suspected developer linked to a widely used phishing kit. Investigators say the operation was built around a tool known as the W3LL phishing kit, which allowed cybercriminals to create convincing replicas of legitimate login pages. The service was sold for about $500, providing buyers with a ready-to-use method to steal usernames and passwords from targeted victims. W3LLSTORE Authorities describe the operation as a full-service cybercrime platform rather than a single tool. The kit was supported by an online marketplace called W3LLSTORE, where stolen credentials were bought and sold. Between 2019 and 2023, the marketplace facilitated the sale of more than 25,000 compromised accounts. After W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms. Law enforcement says the service was rebranded and distributed privately, allowing it to remain active and reach new users despite the closure of its public marketplace. From 2023 to 2024, the phishing kit was used in more than 17,000 attacks worldwide. Group-IB’s findings in September 2023 linked the platform to campaigns targeting corporate environments, including Microsoft 365 accounts, in which attackers attempted to bypass authentication protections and gain persistent access. Worldwide Victims According to Group-IB, activity was heavily concentrated in a few key countries while still reaching targets worldwide, with the United States accounting for more than half of the identified cases. At the same time, the attacks targeted multiple industries, with manufacturing, technology, and professional services among the most affected. Here’s a breakdown of the countries targeted by the W3LL phishing kit powered by W3LLSTORE marketplace, based on data from Group-IB: United States, 56.9% United Kingdom, 6.9% Australia, 4.6% Germany, 2.6% Canada, 2.1% France, 2.1% Netherlands, 2.0% Switzerland, 1.8% Italy, 1.6% Other regions, 19.4% The Seizure On April 10, 2026, authorities announced the seizure of domains tied to the operation, disrupting both the sale of the phishing kit and the distribution of stolen data. The alleged developer, identified only as G.L., was detained in Indonesia. Officials have not released further details about their identity. Screenshot from the now-seized W3LLSTORE marketplace (Image credit: Hackread.com) “FBI Atlanta Field and Indonesian law enforcement authorities have dismantled a global phishing operation that enabled cybercriminals to steal thousands of victims’ account credentials and attempt more than $20 million in fraud.” FBI Atlanta Law enforcement officials said the case reflects a coordinated effort to target not only users of phishing tools but also the developers who supply them. By removing the infrastructure behind the service, investigators aim to disrupt multiple criminal operations at once. The case also shows that phishing kits made it easier for cyber criminals, even script kiddies, to carry out scams like professionals. With ready-made malicious tools available at relatively low cost, attackers can launch large-scale campaigns without advanced technical skills, increasing the volume and reach of credential theft worldwide. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts FBIFBI AtlantaFraudIndonesiaIndonesian National PoliceMicrosoft 365PhishingPhishing KitScamW3LLSTORE Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Crime Malware Scams and Fraud Security CCleaner Backdoor Attack: A State-sponsored Espionage Campaign Infected CCleaner Software Attack that Affected 700,000 Customers is part of a Wide-scale State-sponsored Cyber-espionage Campaign. Previously we… byWaqas Cyber Crime Hacking News 7 RedHack Hackers Arrested for Turkish Police Hack Police have arrested 7 alleged hackers of RedHack hacking group for hacking Turkish Police website. While RedHack said… byWaqas Read More Cyber Crime INTERPOL Dismantles Infamous ’16shop’ Phishing-as-a-Service Platform The cybercrime platform 16shop sold hacking tools and other malicious tools used to compromise more than 70,000 users in 43 countries. byWaqas Security Cyber Crime Malware The Nastiest of all Ransomware Mamba Encrypts Entire Hard Drive Mamba ransomware is currently targeting Windows users in Brazil, India and the United States – Attackers are spreading… byWaqas

Indicators of Compromise

• malware — W3LL phishing kit
• malware — W3LLSTORE

Entities