W3LL phishing service sold for $500 dismantled by the FBI

The W3LL phishing kit, a cybercrime tool used to impersonate legitimate login pages and steal usernames and passwords, has been dismantled by the FBI and Indonesian law enforcement authorities. Officials estimate the operation was tied to more than $20 million in attempted fraud.

(Source: FBI)

“For a fee of about $500, users could purchase access to the phishing kit and deploy fake websites designed to look nearly identical to trusted login portals,” the FBI said.

Once a victim entered their details, the tool captured both login credentials and session data, allowing attackers to bypass MFA and retain access to the account.

The FBI identified and seized infrastructure used to run the phishing service, while the Indonesian National Police arrested the alleged developer behind the platform and seized key domains linked to the operation.

The phishing kit was tied to an online marketplace known as W3LLSTORE, where stolen credentials and access to compromised systems were traded, including remote desktop connections. According to investigators, more than 25,000 accounts were sold on the platform between 2019 and 2023.

After W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and marketed to new buyers. The kit was used in campaigns targeting more than 17,000 victims worldwide between 2023 and 2024.

“This wasn’t just phishing—it was a full-service cybercrime platform,” said FBI Atlanta Special Agent in Charge Marlo Graham.

According to the FBI Internet Crime Complaint Center, reported losses reached $20.877 billion in 2025, a 26% increase from the previous year. The agency received more than one million complaints, with fraud accounting for the majority of cases. Cyber-enabled fraud alone totaled $17.7 billion, or 85% of all reported losses.