Breaking
KR전북 교사 60% 교권 침해 경험… "아동학대 조항 개정·제재 강화해야"CN強颱巴威逼近 台灣北部、東部機率破8成CN國民黨議員秦慧珠批民進黨參選人沈伯洋「不勤跑基層」JPエコノミスト、株高は「円の価値希薄化」の表れと警告KR"임명 번복할 단계 아냐"…정무직 인사엔 "능력·선거 기여도 등 고려"KR충주시, 서충주·탄금공원 일원 자율주행차 시범운행지구 지정AUChina's Submarine Missile Test Signals Growing Military Power in PacificCN台中情侶雙屍命案偵結 男方已死亡不起訴DEElterngeld-Umbau: Familienministerin Prien will Väter mehr einbinden und sparenKRSeoul shares extend losses as investors lock in profits after Samsung earnings estimateKR전북 교사 60% 교권 침해 경험… "아동학대 조항 개정·제재 강화해야"CN強颱巴威逼近 台灣北部、東部機率破8成CN國民黨議員秦慧珠批民進黨參選人沈伯洋「不勤跑基層」JPエコノミスト、株高は「円の価値希薄化」の表れと警告KR"임명 번복할 단계 아냐"…정무직 인사엔 "능력·선거 기여도 등 고려"KR충주시, 서충주·탄금공원 일원 자율주행차 시범운행지구 지정AUChina's Submarine Missile Test Signals Growing Military Power in PacificCN台中情侶雙屍命案偵結 男方已死亡不起訴DEElterngeld-Umbau: Familienministerin Prien will Väter mehr einbinden und sparenKRSeoul shares extend losses as investors lock in profits after Samsung earnings estimate
Newsgather
BackFBI, Indonesian Police Dismantle Global W3LL Phishing Operation, Arrest Developer
FBI, Indonesian Police Dismantle Global W3LL Phishing Operation, Arrest Developer
Developing
Times of India4/20/2026Tech2 min readIndia

FBI, Indonesian Police Dismantle Global W3LL Phishing Operation, Arrest Developer

Joint cyber investigation seizes key domains, detains alleged W3LL developer as part of first-of-its-kind international operation

Quick Look

  • FBI Atlanta and Indonesian law enforcement jointly dismantled the W3LL phishing kit operation, detaining the alleged developer G.L. and seizing key domains.
  • The phishing-as-a-service platform compromised over 42,000 accounts worldwide and enabled approximately $20 million in fraud attempts.

AI-generated summary

Why It Matters

The W3LL phishing kit was sold as phishing-as-a-service for $500, with a referral commission of 10% and a third-party vendor program offering 70/30 profit split. The developer also collected and resold access to compromised accounts.

Font size

The Federal Bureau of Investigation headquarters is seen, March 21, 2026, in Washington. (AP Photo/Tom Brenner, File)

In a first-of-its-kind joint cyber investigation, the Federal Bureau of Investigation (FBI) Atlanta Field Office and Indonesian law enforcement authorities recently dismantled a sophisticated global phishing operation that enabled cybercriminals to steal thousands of victims' account credentials and attempt more than $20 million in fraud.

The operation centered on the W3LL phishing kit, a widely used cybercrime tool that allowed criminals to impersonate legitimate login pages to trick victims into handing over their usernames and passwords.

"This wasn't just phishing—it was a full-service cybercrime platform," said FBI Atlanta Special Agent in Charge Marlo Graham. "We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public."

The website of the operation, known as W3LL, displayed a notice saying it has been seized by the FBI. The bureau said it worked with Indonesia's police in the takedown operation, which resulted in the detention of the alleged W3LL developer — identified only as G.L. — and the seizure of "key domains."

The tool was supported by an online marketplace called "W3LLSTORE." The tool is said to be responsible for causing lot of financial damage to internet users across the world. The FBI estimates that the W3LL store housed more than 25,000 compromised accounts up through 2023 and the tool was used to compromise an additional 17,000 accounts in 2023 and 2024. Criminals stole, or attempted to steal, roughly $20 million in total.

The tool was reportedly sold primarily by word of mouth, with a 10% commission for referrals and a third-party vendor program with a 70/30 split on profits. FBI also uncovered that the developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme.

The FBI took down the main kit, but cybersecurity analysts believe that this may not be the end of the road for W3LL. Sekoia IO, a European cybersecurity company specializing in software-as-a-service, has identified similar tools, such as Sneaky 2FA, which uses some W3LL source code.

"This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service 'Sneaky Log,' which operates through a fully-featured bot on Telegram," the company said in an analysis. Sekoia said the phishing pages are hosted on compromised infrastructure, mostly involving WordPress websites and other domains controlled by the attacker. The fake authentication pages are designed to automatically populate the victim's email address to elevate their legitimacy.

$20 million: The amount of fraud attempts linked to the network. $500: The cost for a criminal to purchase access to the phishing kit. 25,000: The number of compromised accounts sold through the W3LLSTORE marketplace. 17,000: The number of victims targeted worldwide between 2023 and 2024.

Open Questions

  • What specific charges is G.L. facing?
  • How were Indonesian authorities specifically involved in the arrest?
  • What percentage of the $20 million in fraud attempts were actually successful?

Related Topics

This article was originally published by Times of India.

Related Stories

More on this topicfbi