FBI and Indonesian Police Dismantle W3LL Phishing Network After $20M Fraud Attempt
The US Federal Bureau of Investigation (FBI), in collaboration with the Indonesian national police, has dismantled the infrastructure associated with a global phishing operation that used an off-the-shelf toolkit called. W3LL stealing thousands of victims’ account details and attempting to defraud more than $20 million.
In parallel, authorities arrested the suspected developer, identified as GL, and seized key domains linked to the phishing scheme. “The downgrade cuts off a major resource used by cybercriminals to gain unauthorized access to victims’ accounts,” the FBI said in a statement.
The W3LL phishing kit allowed criminals to impersonate legitimate login pages to trick victims into providing their credentials, thereby allowing attackers to take control of their accounts. A phishing kit has been advertised for around $500.
The phishing kit enabled its customers to use fake websites impersonating their legitimate counterparts, masquerading as trusted login sites in exchange for credentials.
“This wasn’t just a phishing attack – it was a full-fledged cybercrime,” said FBI Atlanta Special Agent in Charge Marlo Graham. “We will continue to work with our local and foreign law enforcement partners, using all available tools to protect the public.”
W3LL was first documented by Singapore-headquartered Group-IB in September 2023, highlighting users’ use of an underground marketplace called the W3LL Store that served about 500 threat actors and allowed them to purchase access to the W3LL Panel phishing kit and other cybercrime tools for business email compromise (BEC) attacks.
The Cybersecurity company described W3LL as a phishing platform that provides a wide range of services, from phishing tools and mailing lists to access compromised servers. The threat actor behind the illegal service is believed to have been operating since 2017, having previously developed mass email tools such as PunnySender and W3LL Sender.
According to the FBI, the W3LL Store also facilitated the sale of stolen information and unauthorized system access, including remote desktop connections. More than 25,000 compromised accounts are estimated to be sold on storefronts between 2019 and 2023.
“Focusing on Microsoft 365 credentials, W3LL uses adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication,” Hunt.io said in a report published in March 2024.
Then last year, the French security company Sekoia, in its analysis of another phishing kit known as Sneaky 2FA, revealed that the tool “reused several codes” from the W3LL Store phishing syndicate, adding that cracked versions of W3LL have been distributed for the past few years.
“Even after W3LLSTORE was shut down in 2023, operations continued through encrypted messaging platforms, where the tool was renamed and advertised,” the FBI said. “From 2023 to 2024 alone, the phishing kit was used to target more than 17,000 victims worldwide.”
“The developer running the tool collected and resold access to compromised accounts, increasing the reach and impact of the program.”
