13.04.2026
5 min
163
The FBI, together with the Indonesian police, dismantled the infrastructure of the large-scale W3LL phishing network, which was used to steal credentials and commit fraudulent transactions worth more than $20 million.
The U.S. Federal Bureau of Investigation (FBI) joined forces with Indonesia’s police force to dismantle a massive phishing operation run using the W3LL toolkit. The toolkit, which was capable of allowing the widespread theft of user account information and fraud attempts, yielded fraudsters over $20 million.
During an ongoing investigation into this phishing operation, law enforcement officials arrested the suspected creator/developer of W3LL (known as GL). Law enforcement authorities also froze many key domain names through which this phishing scheme was being carried out. The FBI stated that eliminating these phishing operations eliminates a primary means of hackers gaining access to users’ accounts.
W3LL is not simply a phishing kit. Rather, it allows individuals to create mock versions of log in pages for legitimate services. When a victim enters his/her information, the hacker gains complete control over the victim’s account. Access to this tool cost approximately $500.
In actuality, W3LL is a full-service cyber-crime toolset. In addition to providing a way to build fake login pages that appear to be legitimate; users can hide the locations of those sites, steal contact lists, etc.
“…This was not simply a phishing operation …this was a fully functional cybercrime platform offering all types of criminal services,” Special Agent Marlo Graham, of the FBI Atlanta office stated. She further stated that the FBI continues to work with international partners to shut down similar schemes.
W3LL came under scrutiny in late September of last year when cybersecurity company Group IB announced an investigation into W3LL. At the time of that announcement, details were shared regarding an underground market called the W3LL Store. That store provided services to an estimated 500 cyber-criminals who utilized that store to purchase access to the W3LL panel and other various attack tools. Those tools have included, but are limited to, corporate email hacking schemes.
Group IB referred to W3LL as a “universal” service. They explained that it contained everything required to carry out an attack: from phishing kits and emailing lists to access to existing compromised servers. The investigation revealed that the individual behind W3LL had been active in creating malicious tools since at least 2017. He previously developed mass-spamming tools, including PunnySender and W3LL Sender.
Additionally, compromised credentials and access rights to systems, including remote desktop connections were available for sale via the W3LL Store. Over 25 thousand compromised accounts were sold through the W3LL Store alone from 2019 to 2023.
Experts have taken great interest in both the technical aspects of the attacks and how they were carried out. A majority of W3LL activity was directed at Microsoft 365 accounts. Attackers primarily employed a “man-in-the-middle” attack, enabling them to capture session cookies while bypassing multi-factor authentication.
Subsequently, investigators from Sekoia found that some code within W3LL was used by another phishing tool called Sneaky 2FA. This discovery implies that W3LL’s technology has survived in other tools even though W3LL partially ceased operations in 2023.
Finally, the FBI noted that although the W3LL Store ceased operations in 2023, the overall operation did not cease. It merely migrated to encrypted messaging platforms where the tool was relabeled and remains popular today. Investigators believe that in excess of 17 thousand victims worldwide were impacted by this tool in 2023-24.
