What happened with the W3LL phishing network?

The Federal Bureau of Investigation and Indonesian police dismantled the W3LL phishing network, seizing infrastructure tied to over $20 million in fraud attempts. The operation targeted a global phishing-as-a-service platform. It marks a major international cybercrime crackdown.

How did the W3LL phishing network work?

W3LL sold phishing tools that allowed attackers to create fake login pages mimicking real websites. Hackers paid around $500 to access the platform via W3LLSTORE. This made it easy for even low-skilled actors to run large-scale scams.

How many people were affected by the phishing attacks?

The network targeted more than 17,000 victims globally between 2023 and 2024. Over a longer period, more than 25,000 stolen credentials were sold through the platform. This shows the scale and persistence of the operation.

What made this phishing kit particularly dangerous?

The kit used adversary-in-the-middle techniques, which intercept login sessions in real time. This allowed attackers to capture authentication tokens along with passwords. Even accounts protected by multi-factor authentication were compromised.

Who was arrested in the operation?

Authorities detained the alleged developer of the W3LL platform, identified as G.L., in Indonesia. This was a key step in disrupting the network’s operations. The arrest followed a joint investigation between US and Indonesian authorities.

Why is this takedown significant?

This is the first coordinated cybercrime takedown between the US and Indonesia. It highlights growing international cooperation in tackling digital threats. Such collaboration is becoming more important as cybercrime becomes more global.

How many hackers were using the W3LL platform?

Around 500 threat actors were actively using the platform. This turned W3LL into a structured cybercrime ecosystem rather than a small operation. It significantly amplified the reach of phishing attacks.

What happened after the W3LLSTORE marketplace shut down?

After the marketplace closed, operators moved to encrypted messaging apps to continue distributing the phishing tools. This shows how cybercriminals adapt quickly to enforcement actions. It also makes detection more difficult.

FBI Indonesia bust $20M phishing network

Written by Brie CarterPublished Apr. 14 2026

The Federal Bureau of Investigation and Indonesian police have dismantled the W3LL phishing network, seizing infrastructure linked to more than $20 million in fraud attempts.

Authorities said the operation targeted a phishing-as-a-service platform that enabled hackers to create fake login pages and bypass multi-factor authentication, affecting more than 17,000 victims globally.

The joint probe led to the arrest of alleged developer G.L. in Indonesia, marking the first coordinated cybercrime takedown between the US and Indonesia.

The W3LL platform sold access to attackers for around $500 via an underground marketplace known as W3LLSTORE, with roughly 500 threat actors using the tools to steal credentials.

Investigators said the kit used adversary-in-the-middle techniques to intercept login sessions in real time, capturing authentication tokens and passwords even from protected accounts.

Between 2019 and 2023, more than 25,000 stolen credentials were traded through the platform, with operators later shifting to encrypted messaging apps after the marketplace shut down.

The takedown comes as phishing attacks continue to target digital asset users, with crypto investors losing more than $300 million to phishing scams in January 2026 alone.