{"id":581,"date":"2026-04-13T16:21:46","date_gmt":"2026-04-13T16:21:46","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=581"},"modified":"2026-04-13T16:21:46","modified_gmt":"2026-04-13T16:21:46","slug":"fbi-and-indonesian-police-dismantle-w3ll-phishing-network-behind-20m-fraud-attempts","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=581","title":{"rendered":"FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 13, 2026<\/span><\/span><span class=\"p-tags\">Cybercrime \/ Threat Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgb77IQHAfOvWFPWb_cgV_YJGdRtNJJJWBcjYH6M6cCawBv2tQdybani7Qet_LGwH1tTBHJ2P3Lr6gWdY0sz3547YLzkSLWX3T2l84-A7ndRK3T55QblpJ-j2ovE9Lq0CoNb6ckWziwD2UjKP_awFJXbGr3yuZ1IMPndUyCo_WfoJ9nnyTPFf-K4HVy5A8g\/s1700-e365\/well-fbi.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>The U.S. Federal Bureau of Investigation (FBI), in partnership with the Indonesian National Police, has dismantled the infrastructure associated with a global phishing operation that leveraged an off-the-shelf toolkit\u00a0called <strong>W3LL<\/strong> to steal thousands of victims&#8217; account credentials and attempt more than $20 million in\u00a0fraud.<\/p>\n<p>In tandem, authorities detained the alleged developer, who has\u00a0been identified\u00a0as G.L, and seized key domains linked to the phishing\u00a0scheme. \u00abThe takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims&#8217; accounts,\u00bb the\u00a0FBI <a href=\"https:\/\/www.fbi.gov\/contact-us\/field-offices\/atlanta\/news\/fbi-atlanta-indonesian-authorities-take-down-global-phishing-network-behind-millions-in-fraud-attempts\">said<\/a> in a statement.\u00a0<\/p>\n<p>The W3LL phishing\u00a0kit allowed criminals to mimic legitimate login\u00a0pages to\u00a0deceive victims into handing over their credentials, thus\u00a0allowing the\u00a0attackers to seize control of their\u00a0accounts. The phishing\u00a0kit was advertised for a fee of about\u00a0$500.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The phishing kit enabled its customers to deploy bogus websites that mimicked their legitimate counterparts, masquerading as trusted login portals to harvest credentials.<\/p>\n<p>\u00abThis wasn&#8217;t just phishing \u2013 it was a full-service cybercrime platform,\u00bb FBI Atlanta Special Agent in Charge Marlo Graham said. \u00abWe will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the\u00a0public.\u00bb<\/p>\n<p>W3LL\u00a0was first documented by Singapore-headquartered Group-IB in September\u00a02023, highlighting the operators&#8217; use of an underground marketplace called the W3LL Store that served approximately 500 threat actors and allowed them to purchase access to the W3LL Panel phishing\u00a0kit alongside other cybercrime tools for business email compromise (BEC)\u00a0attacks.<\/p>\n<p>The cybersecurity company described W3LL as an all-in-one phishing platform that offers a wide range of services, right from custom phishing tools and mailing lists to access to compromised\u00a0servers. The threat actor behind the illicit\u00a0service is\u00a0believed to have been active since 2017, previously developing bulk email spam\u00a0tools like PunnySender and W3LL\u00a0Sender.<\/p>\n<p>Per the FBI, the W3LL Store also facilitated the sale of stolen credentials and unauthorized system\u00a0access, including remote desktop connections. More than 25,000 compromised accounts are estimated to\u00a0have been\u00a0peddled in the storefront between 2019 and\u00a02023.<\/p>\n<p>\u00abPrimarily focused on Microsoft 365 credentials, W3LL utilizes adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication,\u00bb\u00a0Hunt.io\u00a0<a href=\"https:\/\/hunt.io\/blog\/phishing-kit-targets-outlook-credentials\">said<\/a> in a report published in March\u00a02024.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Then last year, French security company Sekoia, in its analysis of another phishing kit known\u00a0as Sneaky\u00a02FA, revealed the tool \u00abreused a few bits of code\u00bb from the W3LL Store phishing syndicate, adding that cracked versions of W3LL\u00a0have been circulated in the past few\u00a0years.<\/p>\n<p>\u00abEven after W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed,\u00bb the FBI said. \u00abFrom 2023 to 2024\u00a0alone, the phishing kit was\u00a0used to target more than 17,000 victims worldwide.\u00bb<\/p>\n<p>\u00abThe developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the\u00a0scheme.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 13, 2026Cybercrime \/ Threat Intelligence The U.S. Federal Bureau of Investigation (FBI), in partnership with the Indonesian National Police, has dismantled the infrastructure associated with a global phishing&hellip;<\/p>\n","protected":false},"author":1,"featured_media":582,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[257,1202,1200,252,250,1198,589,390,1199,1201],"class_list":["post-581","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-20m","tag-attempts","tag-dismantle","tag-fbi","tag-fraud","tag-indonesian","tag-network","tag-phishing","tag-police","tag-w3ll"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/581","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=581"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/581\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/582"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}