6 Facts About the International Phishing Tools Syndicate Lovers Busted by Bareskrim

The Directorate of Cyber Crime at Bareskrim Polri has dismantled a cross-border network providing cyber fraud software or phishing tools, headquartered in Kupang. It turns out that the fraud was carried out by a couple, namely the man GWL (24) and the woman FYT (25). According to police data, the couple’s deceitful actions caused global losses of up to Rp 250 billion. In investigating the case, Bareskrim Polri collaborated with the Federal Bureau of Investigation (FBI) due to its organised, cross-border cybercrime nature. A total of 34,000 people became victims, including from the United States (US). The suspects reaped profits of billions of rupiah from their fraudulent activities. Here are 6 facts about the case: 1. The Perpetrators Are a Couple Dittipidsiber Bareskrim Polri Brigjen Himawan Bayu Aji stated that his team successfully arrested two individuals involved in the network providing hacking devices or phishing tools. Both operated across borders. “Investigators from the Directorate of Cyber at Bareskrim Polri, together with Ditreskrimsus Polda NTT, successfully tracked and secured two perpetrators in Kupang City, NTT,” said Himawan Bayu Aji during a press conference at Bareskrim Polri, South Jakarta, on Wednesday (22/4/2026). The two suspects are GWL (24), a male SMK multimedia graduate who was the mastermind behind creating illegal scripts autodidactically, and his girlfriend FYT (25), who handled the finances from the crimes. Himawan explained that GWL had been independently producing and developing phishing tools since 2018. He operated several sites, such as w3ll.store, well.store, and well.shop, to market the tools. “Suspect GWL acted as the main perpetrator who produced and sold independently since 2018. His background is an SMK multimedia graduate and he acquired scripting skills autodidactically,” Himawan clarified. Meanwhile, his girlfriend FYT provided fund storage through cryptocurrency wallets. FYT was responsible for converting crypto payments into rupiah and withdrawing them via personal bank accounts. “The suspect has been GWL’s girlfriend since 2016 and assisted in managing the finances from script sales,” he said. Himawan revealed that in running their illegal business, the two suspects used virtual private server (VPS) services located abroad. “The suspects also conducted automatic sales monitoring and provided technical support for buyers of scripts experiencing issues,” he explained. 2. Losses Reach Rp 350 Billion Police also uncovered the losses from this cyber fraud or phishing tools. The global losses from these practices reached Rp 350 billion. “Investigators have uncovered an international phishing tools sales network. From the suspects’ actions, it has caused global losses of around USD 20 million, or approximately Rp 350 billion,” said Wakabareskrim Polri Irjen Nunung Syaifudin during a press conference at Bareskrim Polri building, South Jakarta, on Wednesday (22/4). Nunung said the case was uncovered through cyber patrols. The site was found to be selling software for illegal activities. “This case was uncovered starting from cyber patrols that found the site www.3ll.cc selling phishing tools,” he explained. According to Nunung, investigators then conducted in-depth investigations using undercover buy methods or covert purchases using crypto assets to verify the software’s function. The result was that the tool was used for phishing or illegal access to others’ personal data. Based on investigator data, this network had a very wide reach. From 2019 to 2024, thousands of people were recorded as having purchased the illegal tools. “In this uncovering, investigators successfully exposed the international phishing tools sales network. Then, investigators also identified 2,440 buyers in the period from 2019-2024,” said Nunung. Nunung stated that phishing tools are a serious threat. They serve as entry points for various larger cybercrimes. “Cybercrime today has evolved into organised cross-border crime. Phishing tools traded by perpetrators become gateways for other digital crimes, such as online fraud, data theft, and Business Email Compromise (BEC),” he said. 3. Bypasses Layered Security Dittipidsiber Bareskrim Polri dismantled the hacking device or phishing tools provider network in Kupang. It was stated that the hacking tools produced and sold across borders were capable of penetrating layered security systems or Multi-Factor Authentication (MFA). Dittipidsiber Bareskrim Polri Brigjen Himawan Bayu Aji explained that the sophistication of the tool was discovered after investigators recorded around 34,000 identified victims from January 2023 to April 2024. “From that number, 17,000 victims or about 50 percent were confirmed to have been hacked, including the script’s success in bypassing multi-factor authentication mechanisms,” said Himawan during a press conference at Bareskrim Polri, South Jakarta, on Wednesday (22/4). Himawan revealed that the two suspects in this case are GWL (24), a male SMK Multimedia graduate who was the mastermind behind illegal scripts autodidactically. In selling the tools, GWL created the website wellstore.com in 2018, well.store, and well.shop in 2020. These three websites were connected to a Telegram account as a communication medium and means of delivering scripts to buyers. “The suspect in running his business used VPS (virtual private server) services located abroad. The suspect also conducted automatic sales monitoring and provided technical support for buyers of scripts experiencing issues,” he added. In running this illegal business, GWL was assisted by his girlfriend,