The U.S. Federal Bureau of Investigation (FBI), in partnership with the Indonesian National Police, has dismantled the infrastructure associated with a global phishing operation that leveraged an off-the-shelf toolkit called W3LL to steal thousands of victims’ account credentials and attempt more than $20 million in fraud.
In tandem, authorities detained the alleged developer, who has been identified as G.L, and seized key domains linked to the phishing scheme. “The takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims’ accounts,” the FBI said in a statement.Â
The W3LL phishing kit allowed criminals to mimic legitimate login pages to deceive victims into handing over their credentials, thus allowing the attackers to seize control of their accounts. The phishing kit was advertised for a fee of about $500.
The phishing kit enabled its customers to deploy bogus websites that mimicked their legitimate counterparts, masquerading as trusted login portals to harvest credentials.
“This wasn’t just phishing – it was a full-service cybercrime platform,” FBI Atlanta Special Agent in Charge Marlo Graham said. “We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public.”
W3LL was first documented by Singapore-headquartered Group-IB in September 2023, highlighting the operators’ use of an underground marketplace called the W3LL Store (“w3ll[.]store”) that served approximately 500 threat actors and allowed them to purchase access to the W3LL Panel phishing kit alongside other cybercrime tools for business email compromise (BEC) attacks.
The cybersecurity company described W3LL as an all-in-one phishing platform that offers a wide range of services, right from custom phishing tools and mailing lists to access to compromised servers. The threat actor behind the illicit service is believed to have been active since 2017, previously developing bulk email spam tools like PunnySender and W3LL Sender.
Per the FBI, the W3LL Store also facilitated the sale of stolen credentials and unauthorized system access, including remote desktop connections. More than 25,000 compromised accounts are estimated to have been peddled in the storefront between 2019 and 2023.
“Primarily focused on Microsoft 365 credentials, W3LL utilizes adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication,” Hunt.io said in a report published in March 2024.
Then last year, French security company Sekoia, in its analysis of another phishing kit known as Sneaky 2FA, revealed the tool “reused a few bits of code” from the W3LL Store phishing syndicate, adding that cracked versions of W3LL have been circulated in the past few years.
“Even after W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed,” the FBI said. “From 2023 to 2024 alone, the phishing kit was used to target more than 17,000 victims worldwide.”
“The developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme.”
Update
In a follow-up analysis published on April 16, 2026, Group-IB described the phishing ecosystem as built around a kit called W3LL Panel (aka OV6 panel) that contained a variety of tools to bypass multi-factor authentication (MFA) and break into enterprise Microsoft 365 accounts. The panel was first detected in the wild in 2020.
“Unlike ordinary phishing kits, W3LL Panel featured advanced Attacker-in-the-Middle (AiTM) capabilities, enabling attackers to hijack session cookies, validate credentials, and access victim accounts,” the company said. “W3LL Panel’s license verification relied on a remote API endpoint hosted by the threat actor.”
W3LL Store, per Group-IB, emerged in 2018 as a closed marketplace for peddling the malware author’s phishing tools, before evolving into a full-fledged platform offering a broad slate of tools necessary to conduct phishing operations. This included potential victim email lists, reconnaissance utilities, and access to compromised mail servers for spamming.
Besides obscuring the store’s infrastructure behind layers of proxies and content delivery networks (CDNs) to fly under the radar, access to the service required a referral from an existing user, allowing it to thrive under a mask of secrecy. To top it all, new members were explicitly instructed not to share any details publicly.
The storefront is assessed to be part of a broader phishing architecture that also consisted of a network of Telegram groups and chats where criminals shared screenshots of compromised accounts and discussed attack strategies.
Group-IB’s investigation into the threat actor behind the operation has revealed their involvement in hacktivism, defacement, phishing, and fraud, not to mention running their own hacking community calledW3LL Squad on platforms like Facebook to discuss cybercrime and coordinate cyber operations.
Following the September 2023 report, W3LL is said to have attempted to evade detection by shutting down the W3LL Store’s web interface and briefly stopping their operations, only to resume them days later under a different branding called PRIV8WTOOLS, marketing it on Telegram as an “innovative and user-friendly tool.”
“W3LL’s tools and services, including an underground PhaaS marketplace called the W3LL Store, enabled over 500 cybercriminals to carry out business email compromise (BEC) attacks targeting organizations worldwide,” Group-IBÂ said.
(The story was updated after publication to include additional insights from Group-IB.)
About The Author
Original post here
