FBI Atlanta, Indonesian Authorities Take Down Global Phishing Network Behind Millions in Fraud Attempts
April 10, 2026 - In a first-of-its-kind joint cyber investigation, the FBI Atlanta Field Office and Indonesian law enforcement authorities have dismantled a sophisticated global phishing operation that enabled cybercriminals to steal thousands of victims’ account credentials and attempt more than $20 million in fraud.
The operation centered on the W3LL phishing kit, a widely used cybercrime tool that allowed criminals to impersonate legitimate login pages to trick victims into handing over their usernames and passwords.
For a fee of about $500, users could purchase access to the phishing kit and deploy fake websites designed to look nearly identical to trusted login portals. Once a victim entered their information, the tool captured not only credentials but also session data that allowed criminals to bypass multi-factor authentication and maintain access to accounts.
"This wasn’t just phishing—it was a full-service cybercrime platform," said FBI Atlanta Special Agent in Charge Marlo Graham. "We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public."
The phishing kit was supported by an online marketplace known as W3LLSTORE, where criminals could buy and sell stolen credentials and unauthorized system access, including remote desktop connections. Between 2019 and 2023, the marketplace facilitated the sale of more than 25,000 compromised accounts.
Even after W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed. From 2023 to 2024 alone, the phishing kit was used to target more than 17,000 victims worldwide.
Investigators also uncovered that the developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme.
Through the investigation, FBI Atlanta, with assistance from the U.S. Attorney’s Office for the Northern District of Georgia, identified and seized infrastructure facilitating the phishing service. In coordination with the Indonesian National Police, authorities detained the alleged developer, G.L, and seized key domains tied to the operation.
The takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims’ accounts.
The FBI Atlanta Field Office credited the Indonesian National Police for their critical partnership, noting that the case represents the first coordinated action against a phishing kit developer between the United States and Indonesia.
FBI Atlanta
FBI Atlanta Public Affairs
Media.Atlanta@fbi.gov
Source: Federal Bureau of Investigation (FBI)
