'This wasn’t just phishing — it was a full-service cybercrime platform': FBI reveals takedown of notorious W3LL phishing operation targeting thousands of victims

News
By published

W3LL phishing operation targeted victims worldwide

Caution sign data unlocking hackers. Malicious software, virus and cybercrime, System warning hacked alert, cyberattack on online network, data breach, risk of website
(Image credit: sarayut Thaneerat/ via Getty Images)
  • FBI & Indonesian police detain suspect behind W3LL phishing kit
  • Kit enabled spoofed sites, credential theft, $20M fraud attempts
  • Infrastructure and domains seized, cutting off major cybercrime resource

The FBI has revealed it worked together with the Indonesian National Police in the takedown of a major global phishing platform.

The bureau said it detained an individual with the initials G.L., suspected of operating the W3LL phishing kit. The kit, costing around $500, allowed other cybercriminals to quickly and easily create spoofed websites, as well as phishing emails.

Through the combination of the two, the miscreants were able to steal people’s login credentials, opening the door to financial fraud, with the attackers attempting to defraud victims for more than $20 million through the platform.

Article continues below

W3LL well well

"This wasn’t just phishing—it was a full-service cybercrime platform," said FBI Atlanta Special Agent in Charge Marlo Graham. "We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public."

Besides the W3LL kit, the cybercriminal also ran an online marketplace called W3LLSTORE, between 2019 and 2023, where other crooks were allowed to buy and sell stolen login credentials, among other things.

Until its shutdown in 2023, the store facilitated the sale of more than 25,000 compromised accounts, the FBI said. Following the shutdown, the platform rebranded and was actively marketed over encrypted messaging platforms, and used to target more than 17,000 victims worldwide.

In the operation, law enforcement “identified and seized infrastructure facilitating the phishing service”, as well as “key domains tied to the operation.”

“The takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims’ accounts,” the law enforcement agency said.

International law enforcement agencies have been on the hunt for phishing kits for a little while now.

In early March 2026, Europol and Microsoft took down Tycoon 2FA, one of the largest phishing-as-a-service (PhaaS) platforms in the world. Before that, Europol said it took down LabHost, a phishing kit that provided infrastructure for hosting pages, interactive functionality for directly engaging with victims, and campaign overview services, for a monthly fee of, on average, $249.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.