FBI and Indonesian National Police Dismantle W3LL Phishing Network in Global Operation

The Federal Bureau of Investigation (FBI) and the Indonesian National Police (POLRI) announced on April 13, 2026, the successful dismantling of the W3LL phishing-as-a-service (PhaaS) network. The joint operation culminated in the arrest of the alleged developer, a 31-year-old Indonesian national, and the seizure of servers hosting the W3LL Store. This illicit marketplace provided cybercriminals with sophisticated tools designed to compromise corporate email accounts and bypass modern security protocols.

According to official statements from the FBI’s Cyber Division, the W3LL network facilitated more than $20 million in attempted business email compromise (BEC) fraud over a three-year period. The platform served an estimated 500 active cybercriminals who utilized the W3LL toolkit to target over 56,000 corporate accounts globally. Technical analysis reveals that the operation focused heavily on Microsoft 365 environments, utilizing adversary-in-the-middle (AiTM) techniques to intercept login credentials and session cookies in real-time. This method allowed attackers to circumvent multi-factor authentication (MFA), providing them with full access to sensitive corporate data and financial systems.

The W3LL Store offered a comprehensive suite of tools, including the W3LL Panel, a centralized dashboard for managing phishing campaigns, and the W3LL Scanner, which identified vulnerable corporate domains. The developer also provided custom-built SMTP servers and link obfuscators to evade automated security filters. Law enforcement officials confirmed that the infrastructure was hosted across multiple jurisdictions, requiring a coordinated international effort involving Interpol and several European cybercrime units to execute the takedown and seize domain names associated with the operation.

Investigatory documents released on April 13 indicate that the W3LL toolkit was responsible for breaches in various sectors, including healthcare, manufacturing, and legal services. In one documented instance, the tools were used to redirect a $3.2 million wire transfer from a European manufacturing firm to a fraudulent account. The Indonesian National Police stated that the arrested individual faces multiple charges under the Electronic Information and Transactions (ITE) Law, which carries a maximum sentence of 12 years in prison. The suspect is currently in custody in Jakarta awaiting further legal proceedings.

FBI Director Christopher Wray stated that the dismantling of the W3LL Store represents a significant disruption to the PhaaS ecosystem. By removing the developer and the underlying infrastructure, authorities aim to increase the barrier to entry for low-skilled attackers who relied on these pre-packaged tools. The FBI continues to analyze seized data to identify and prosecute the individual users of the W3LL Store who purchased these services to conduct illicit activities. This operation marks one of the largest successful collaborations between U.S. and Southeast Asian law enforcement in the fight against organized cybercrime.