The FBI and the Indonesian National Police have dismantled W3LL, a phishing-as-a-service (PhaaS) platform linked to more than $20 million in attempted fraud and more than 17,000 victims worldwide, in the first joint U.S.-Indonesia enforcement action to go after a phishing kit developer directly.
The FBI Atlanta Field Office announced the operation on April 13, seizing the w3ll.store domain under a court order from the U.S. District Court for the Northern District of Georgia.
FBI Atlanta and Indonesian law enforcement authorities have dismantled a global phishing operation that enabled cybercriminals to steal thousands of victims’ account credentials and attempt more than $20 million in fraud. Read more here: https://t.co/o1mMrtdAwT pic.twitter.com/VPu7lzzRhF
— FBI Atlanta (@FBIAtlanta) April 13, 2026
Indonesian authorities arrested G.L., the alleged developer behind the platform, whose full identity has not been released.
The accompanying W3LLSTORE marketplace, where stolen credentials and access to compromised systems were bought and sold, was also taken offline.
“This was a full-service cybercrime platform,” FBI Atlanta Special Agent in Charge Marlo Graham said.
CASE UPDATE from @FBIAtlanta: FBI, Indonesian Authorities Take Down Global Phishing Network Behind Millions in Fraud Attempts
In a first-of-its-kind joint cyber investigation, the #FBI Atlanta Field Office and Indonesian law enforcement authorities have dismantled a… pic.twitter.com/Ewtu0ptsHd
— FBI (@FBI) April 13, 2026
The W3LL kit sold for approximately $500 and produced fake login pages that closely matched those of legitimate services, with Microsoft 365 corporate portals as a primary target.
The kit deployed an adversary-in-the-middle attack, a technique in which a rogue server sits between the victim and the real site, capturing live session tokens alongside passwords. That allowed buyers to bypass multi-factor authentication and hold account access even after victims changed their credentials.
Between 2019 and 2023, the W3LLSTORE marketplace handled the sale of more than 25,000 compromised accounts. After the platform shut down, the operation shifted to encrypted messaging apps and continued through 2024.
By arresting the developer rather than individual operators, investigators severed access for every downstream criminal simultaneously.
The FBI and the U.S. Attorney’s Office for the Northern District of Georgia called the case a milestone in cross-border efforts to disrupt cybercrime infrastructure at its source.
