The FBI Atlanta Field Office and Indonesian National Police dismantled a global phishing operation that enabled cybercriminals to steal thousands of victims’ account credentials and attempt more than $20 million in fraud.
In a press release, the FBI said the operation centered on the “W3LL phishing kit,” a widely used cybercrime tool that allowed criminals to impersonate legitimate login pages to trick victims into handing over their usernames and passwords.
For a fee of about $500, users could purchase access to the phishing kit and deploy fake websites designed to look nearly identical to trusted login portals. Once a victim entered their information, the tool captured not only credentials, but also session data that allowed criminals to bypass multi-factor authentication and maintain access to accounts, according to the press release.
“This wasn’t just phishing—it was a full-service cybercrime platform,” FBI Atlanta Special Agent in Charge Marlo Graham said in a media statement. “We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public.”
The phishing kit was supported by an online marketplace known as “W3LLSTORE,” where criminals could buy and sell stolen credentials and unauthorized system access, including remote desktop connections. Between 2019 and 2023, the marketplace facilitated the sale of more than 25,000 compromised accounts.
Even after W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed. From 2023 to 2024 alone, the phishing kit was used to target more than 17,000 victims worldwide, the press release said.
Investigators also uncovered that the developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme.
The FBI, with assistance from the U.S. Attorney’s Office for the Northern District of Georgia, identified and seized infrastructure facilitating the phishing service. In coordination with the Indonesian National Police, authorities detained the alleged developer and seized key domains tied to the operation.
