The FBI says it disrupted the W3LL phishing operation used to steal login credentials and enable financial fraud. The attempted losses reported are more than $20 million, highlighting “phishing-as-a-service” infrastructure.

The FBI announced a takedown of the W3LL phishing operation, describing it as more than a basic phishing campaign. According to the bureau, the scheme relied on phishing-as-a-service infrastructure—allowing criminals to scale attacks, personalize lures, and streamline credential theft. The investigation reportedly involved coordination with Indonesian authorities to disrupt the phishing kit used to capture login details, which were then used to facilitate financial fraud. The FBI stated that the operation targeted thousands of victims and that attempted losses exceeded $20 million. Victims were exposed to the same core workflow seen across modern phishing-as-a-service ecosystems: attackers deploy polished lures, harvest credentials, and use access to attempt withdrawals, transfers, account takeover purchases, or other fraud. For readers, the key takeaway is that credential theft can be modular. Even if a message looks like “just phishing,” the supporting toolkit can enable rapid monetization. The disruption also underscores that law enforcement increasingly targets the infrastructure layer—kits, delivery mechanisms, and back-end fraud enablers—rather than only individual scam messages.