The Federal Bureau of Investigation (FBI) Atlanta Field Office and Indonesia’s National Police jointly announced on April 14 that they successfully dismantled the W3LL phishing network infrastructure, seized key technical equipment directly linked to fraud totaling more than $20 million, and detained the suspected developer GL. This operation was supported by judicial assistance from the Office of the U.S. Attorney for the Northern District of Georgia, and marks the first joint crackdown by law enforcement agencies from the two countries against a hacker platform.
How the W3LL phishing network works: a criminal tool from $500 and up
The core design of the W3LL phishing toolkit is to create nearly indistinguishable fake login pages that prompt victims to voluntarily enter account credentials. Attackers can purchase tool usage rights for as little as about $500 through the underground market W3LLSTORE, allowing it to spread rapidly within criminal circles. It has accumulated roughly 500 threat actors actively using it, forming a highly organized ecosystem of cybercrime.
However, the most destructive feature of the W3LL phishing network is its man-in-the-middle (AiTM) attack technology. Attackers can intercept the victim’s login session in real time and simultaneously steal authentication tokens at the exact moment the user enters their username and password. This means that even if the account has multi-factor authentication protections enabled, the attacker can hijack the already-verified session the instant verification completes, rendering MFA protection effectively useless.
Crime scale and the trail of evolution
The history of the W3LL phishing network spans multiple years, showing a clear evolution path aimed at resisting law enforcement:
2019–2023: The W3LLSTORE underground market was active, enabling the circulation of transactions involving more than 25,000 stolen credentials
After the market was shut down: Operators shifted to encrypted communication apps, continuing to distribute re-packaged tools to evade law enforcement tracking
2023–2024: Toolkit packages caused more than 17,000 victims worldwide
April 14, 2026: The U.S.-Indonesia joint action successfully seized the infrastructure, and the developer GL was taken into custody
The entire criminal ecosystem is highly organized, from tool development and market sales to actual attack execution, forming a complete cybercrime supply chain.
U.S.-Indonesia security cooperation: a new arena for coordinated crackdowns on cybercrime
The timing of this joint seizure operation carries diplomatic significance. On April 13, the United States and Indonesia formally announced the establishment of a major defense partner relationship, with a framework covering military modernization, professional education, and joint exercises in the Indo-Pacific region. The seizure operation targeting the W3LL phishing network shows that bilateral security cooperation has officially expanded into the domain of cybercrime law enforcement.
Of particular note is that phishing threats against cryptocurrency holders are still escalating. In January 2026, in a single month alone, cryptocurrency investors lost more than $300 million due to phishing attacks, indicating that even though this W3LL phishing network crackdown has achieved results, the overall threat environment remains far from optimistic.
Frequently asked questions
Why can the W3LL phishing toolkit spread widely within the cybercrime community?
The rapid adoption of the W3LL toolkit comes down to two main factors: the extremely low entry cost of $500, and the ability of other tools to rarely bypass multi-factor authentication. The combination of a low barrier and high effectiveness makes it a preferred attack tool for organized cybercrime groups, forming a stable sales and supply chain in the underground market.
How is multi-factor authentication (MFA) bypassed by the W3LL toolkit?
The W3LL toolkit uses man-in-the-middle (AiTM) attack technology to immediately hijack the already-verified login session and authentication tokens the moment the victim completes MFA verification. This allows attackers to log into the target account as the victim without needing to know the second factor, causing traditional MFA protection mechanisms to fail.
How can cryptocurrency users effectively defend against this kind of advanced phishing network attack?
Key defensive measures include: using hardware security keys (such as YubiKey) instead of SMS or app-based OTPs as the multi-factor authentication method— the former can effectively resist AiTM attacks; carefully verifying the authenticity of the domain name before visiting any platform; and avoiding clicking login links in emails or messages from unknown sources.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
KelpDAO $290M Exploit Attributed to North Korea's Lazarus Group
LayerZero attributed a $290 million exploit of KelpDAO's cross-chain rsETH configuration to North Korea's Lazarus Group on April 18, describing the attacker as a "highly-sophisticated state actor." According to LayerZero, the incident was limited to KelpDAO's rsETH setup and did not spread to other
CryptoFrontier2h ago
Fraudsters Posing as Iranian Authorities Demand Bitcoin, USDT Payments from Ships at Strait of Hormuz
Gate News message, April 21 — Scammers impersonating Iranian authorities have targeted shipping companies with vessels stranded west of the Strait of Hormuz, demanding Bitcoin and Tether (USDT) payments in exchange for safe passage, according to maritime risk firm Marisks.
The fraudsters
GateNews2h ago
Philippines SEC Warns Against 7 Unregistered Crypto Trading Platforms Including dYdX, Orderly
Summary: SEC Philippines warns about seven unregistered crypto platforms (dYdX, Aevo, gTrade, Pacifica, Orderly, Deriv, Ostium) under CASP; promoters may face fines up to PHP 5 million or 21 years' jail.
Abstract: The Philippines’ SEC issued an investor warning identifying seven unregistered cryptocurrency trading platforms (dYdX, Aevo, gTrade, Pacifica, Orderly, Deriv, Ostium) not registered under the Crypto Asset Service Provider framework. It cautions that promoting these platforms in the Philippines may incur criminal liability, with penalties including fines up to PHP 5 million and up to 21 years’ imprisonment.
GateNews3h ago
Arbitrum Security Council Freezes 30,766 ETH From KelpDAO Exploit, 9 of 12 Members Vote in Favor
Arbitrum froze 30,766 ETH from the KelpDAO hack, worked with law enforcement, and recovered about a quarter of assets, while locking funds pending governance amid decentralization versus security debates.
Abstract: This article reports that the Arbitrum Security Council froze 30,766 ETH (about $70 million) tied to the KelpDAO exploit, with nine of twelve votes, and moved funds to a secure wallet in coordination with law enforcement. The operation targeted only affected assets to minimize network disruption. The exploiter is suspected to be DPRK-associated. The breach began April 18 via a LayerZero-powered bridge, draining 116,500 rsETH (~$292 million). About a quarter of stolen assets have been recovered. The frozen funds will remain locked until governance and legal authorities decide the next steps, prompting debate over decentralization versus security.
GateNews4h ago
Korean National Tax Service Launches Crypto Tax-Evasion Crackdown in July: Even Self-Custody Wallets and Mixing Services Can Be Traced
According to a report by ZDNet Korea, South Korea’s National Tax Service (NTS) issued on April 15 a procurement notice for a “virtual asset tax evasion response and transaction tracking software,” with plans to complete system selection by the end of May, deploy it in June, and officially launch it in July. The new system will be able to track self-custodied (non-custodial) wallets such as MetaMask and Phantom, and will include “demixing” technology to enforce tax evasion against offenders who use mixers to conceal the flow of funds.
This is the third upgrade to South Korea’s crypto tax investigation tracking system since 2024. In conjunction with new tax legislation that, starting in 2026, will formally bring crypto assets under taxation under the “Other Income” category of the comprehensive income tax, enforcement tools are being upgraded at the same time to improve collection efficiency.
Procurement scope: Chainalysis and TRM
ChainNewsAbmedia5h ago
South Korea's Tax Authority Introduces Crypto Tracking Software to Monitor Tax Evasion, Including Non-Custodial Wallets
Gate News message, April 21 — South Korea's National Tax Service announced on April 15 that it plans to deploy crypto asset tracking software from firms including Chainalysis and TRM Labs to monitor cryptocurrency transactions in real time, trace hidden assets of suspected tax evaders, and combat mo
GateNews6h ago
