The scammers who steal your credentials are often not the ones who built the tools to do it. There is an entire industry — phishing-as-a-service — that supplies criminal operators with ready-made kits: fake bank login pages, credential harvesting scripts, delivery notification spoofs, and government impersonation templates. This week, Indonesian police dismantled one of those supply operations — arresting two suspects who ran an international phishing kit marketplace that served 2,440 criminal buyers across multiple countries and enabled the victimization of at least 34,000 people.
The arrest, carried out by Indonesia’s National Police Cyber Crime Directorate, traces the operation to a Telegram bot that served as the marketplace’s automated storefront — allowing buyers to browse, purchase, and receive phishing tools without any direct human contact. Assets worth IDR 4.5 billion (approximately $275,000 USD) were seized.
The Business Model: Fraud as a Service
To understand why this arrest matters, it helps to understand what a phishing kit marketplace actually is — and why disrupting the supply chain of fraud tools has an outsized impact compared to arresting individual scammers.
A phishing kit is a packaged set of files and scripts that enables someone with minimal technical skill to deploy a convincing fake website designed to steal credentials. A complete kit typically includes:
- HTML/CSS clone pages of legitimate bank, government, or e-commerce websites — visually identical to the real thing
- Backend scripts that capture entered credentials (usernames, passwords, credit card numbers, one-time codes) and forward them to the operator
- Hosting instructions that guide the operator in deploying the fake site on a bulletproof host or compromised web server
- Anti-detection features — code that identifies and blocks access from known security researcher IP ranges, so the fake site only shows to real victims
- Redirects — after credentials are captured, the victim is silently redirected to the real website, often without realizing what happened
More sophisticated kits include real-time relay features that allow the phisher to use stolen credentials immediately — forwarding captured logins to the real site in real time, intercepting one-time SMS codes and entering them before they expire, and enabling account takeover in the seconds between credential submission and victim awareness.
The marketplace busted in Indonesia was selling these tools to criminal operators across multiple countries, who then deployed them in their own phishing campaigns. By centralizing the technical infrastructure, the marketplace’s operators enabled thousands of fraud campaigns to run simultaneously — each operated by a different criminal buyer — without having to conduct any individual fraud themselves.
The Telegram Architecture
The choice of Telegram as the marketplace’s sales platform is instructive. Telegram’s combination of pseudo-anonymity, bot API infrastructure, and encrypted messaging makes it the preferred platform for automated criminal commerce.
The marketplace used a Telegram bot — an automated account that responds to commands — as its primary sales interface. Buyers could message the bot to browse available kits, request custom builds, make cryptocurrency payments, and receive tool packages, all without interacting with a human operator. This automation reduces risk for the operators: no human transaction logs, no voice or video evidence, and a customer experience indistinguishable from a legitimate automated service.
Indonesian investigators traced the bot to its operators through a combination of blockchain transaction analysis (following cryptocurrency payments backward through the chain), Telegram metadata obtained through legal process, and traditional financial investigation of the IDR 4.5 billion in seized assets.
Scale: 2,440 Buyers, 34,000 Victims
The numbers from this investigation reveal something important about the economics of phishing-as-a-service. With 2,440 buyers, even assuming each ran a small-scale operation targeting a few dozen people, the total victim exposure reaches tens of thousands quickly. Police have confirmed at least 34,000 victims — people whose credentials were harvested using tools from this specific marketplace.
The actual number is likely higher. “Confirmed victims” in cybercrime investigations typically means people who reported to authorities or whose data was found on seized servers. The majority of phishing victims never discover the compromise, never report it, and never appear in law enforcement statistics.
At 2,440 buyers, this was not a niche dark web operation for elite hackers. It was a commercial marketplace serving a customer base the size of a small company’s employee roster — organized criminals, opportunistic fraudsters, and cybercrime newcomers who could not build their own tools but had no difficulty purchasing them.
Why Supply Chain Disruption Matters
Arresting individual scammers is important — but it addresses the symptom rather than the infrastructure. A single phishing-as-a-service operation like the one busted in Indonesia can enable hundreds or thousands of fraud campaigns simultaneously. When it is disrupted, all 2,440 buyers lose their tools at once. Campaigns fail. Victims are spared. The downstream harm prevented by a single supply-chain takedown can dwarf what would be achieved by prosecuting each buyer individually.
This is the same logic behind Operation PowerOFF’s seizure of DDoS-for-hire platforms earlier this month — targeting the services that enable attacks, not just the attackers.
Law enforcement agencies globally have increasingly adopted a “supply chain” approach to cybercrime disruption, prioritizing takedowns of infrastructure providers, tool vendors, and payment processors over the comparatively resource-intensive work of pursuing individual perpetrators across jurisdictions.
How to Recognize Phishing Kit Attacks
Because phishing kits produce near-perfect visual clones of legitimate websites, visual inspection alone is insufficient protection. The key indicator is almost always in the URL — the web address — not the appearance of the page.
What to check:
- Examine the domain carefully. Fake sites use domains like
bankofamerica-secure-login.com,paypa1.com(with a digit replacing a letter), orbank-of-america.phishing-domain.net. The real domain is always in the main domain name immediately before the last.com/.org/.net. - Look for HTTPS, but don’t trust it alone. Phishing kits routinely obtain free SSL certificates, so HTTPS (the padlock icon) no longer indicates legitimacy.
- Don’t follow links from emails or texts. Go directly to your bank, government service, or e-commerce site by typing the address yourself or using a saved bookmark.
- Use a password manager. Most password managers will not auto-fill credentials on a site that doesn’t match the domain they were saved for — making them an effective defense against phishing clones.
- Enable multi-factor authentication (MFA) on all financial and email accounts. While advanced phishing kits can relay OTP codes in real time, MFA still provides meaningful protection against less sophisticated operations.
Sources: Digital Forensics Magazine Roundup April 24 · ASIS Online
