ATLANTA, GA — In a first-of-its-kind joint cyber investigation, multiple U.S. and international law enforcement agencies, including the FBI Atlanta Field Office and Indonesian authorities, have dismantled a global phishing operation tied to more than $20 million in attempted fraud.
The operation centered on the W3LL phishing kit, a cybercrime tool that allowed users to create fake login pages designed to steal credentials from victims.
For about $500, users could purchase access to the kit and deploy counterfeit websites that closely mimicked legitimate login portals.
Once victims entered their information, the tool captured usernames, passwords, and session data, allowing criminals to bypass multi-factor authentication and maintain access to accounts.
“This wasn’t just phishing, it was a full-service cybercrime platform,” said FBI Atlanta Special Agent in Charge Marlo Graham. “We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public.”
Officials said the phishing kit was supported by an online marketplace known as W3LLSTORE, where criminals bought and sold stolen credentials and unauthorized system access, including remote desktop connections.
According to officials, the marketplace facilitated the sale of more than 25,000 compromised accounts between 2019 and 2023.
Even after W3LLSTORE shut down in 2023, investigators said the operation continued through encrypted messaging platforms, where the tool was rebranded and marketed to cybercriminals. From 2023 to 2024 alone, it was used to target more than 17,000 victims worldwide, FBI Atlanta officials said.
Investigators said the developer behind the tool profited by collecting and reselling access to compromised accounts, increasing the scale of the scheme.
Multiple agencies, including FBI Atlanta and the U.S. Attorney’s Office for the Northern District of Georgia, helped identify and seize infrastructure tied to the phishing service.
Authorities later detained the alleged developer, identified by initials G.L., and seized key domains connected to the operation.