The US Federal Bureau of Investigation (FBI), in partnership with Indonesian National Police, has dismantled the infrastructure behind a large-scale global phishing operation that stole thousands of victims’ account credentials and attempted more than $20 million in fraud.
Authorities also detained the alleged developer of the operation, identified as G.L., and seized domains linked to the scheme.
The operation involved the W3LL phishing kit, an off-the-shelf toolkit sold for around $500. The tool enabled cybercriminals to create doppelgänger phishing pages of legitimate login pages, tricking victims into entering credentials. Once obtained, attackers could take over accounts and launch further attacks.
First documented in September 2023, W3LL operated through an underground marketplace known as the “W3LL Store,” which served roughly 500 threat actors. The platform allowed users to purchase phishing kits, mailing lists, and tools for business email compromise (BEC) attacks.
The service also facilitated the sale of stolen credentials and unauthorized system access, including remote desktop connections. Between 2019 and 2023, more than 25,000 compromised accounts were reportedly sold through the marketplace. The platform was shut down in 2023.
The individual behind W3LL is believed to have been active since 2017, previously developing bulk email spam tools such as PunnySender and W3LL Sender.
A separate international operation by law enforcement in the US, UK, and Canada uncovered over $45 million in cryptocurrency linked to global fraud schemes. The initiative focused on helping victims of “approval phishing” scams, identified over 20,000 affected crypto wallets across more than 30 countries, froze $12 million for recovery, and flagged another $33 million for investigation. It also shut down more than 120 scam-related websites.