The FBI and the Indonesian National Police have dismantled infrastructure tied to a global phishing operation that used the W3LL toolkit to steal thousands of account credentials and attempt more than $20 million in fraud, according to a FBI statement.
KEY FACTS
- Arrest Authorities detained an alleged developer identified as G.L.
- Seizure Key domains linked to the phishing scheme were taken down.
- Tool W3LL was sold for about $500 and used to mimic login pages.
- Scale The report says more than 17,000 victims were targeted from 2023 to 2024.
The phishing kit let customers set up bogus websites that copied legitimate login portals and harvest credentials from victims who entered them. The operation also sold stolen credentials and unauthorized access, including remote desktop connections.
W3LL was first documented in 2023 by a technical analysis from Group-IB, which described an underground marketplace called the W3LL Store that served about 500 threat actors. The FBI said the marketplace sold access to the W3LL Panel phishing kit and other tools used in business email compromise attacks.
The toolkit focused mainly on Microsoft 365 credentials and used adversary-in-the-middle methods to hijack session cookies and bypass multi-factor authentication, according to the report. Another analysis from Sekoia said a separate phishing kit reused parts of the W3LL code, and the FBI said cracked versions had circulated in recent years.
Officials said the W3LL Store shut down in 2023, but the operation continued through encrypted messaging platforms. The FBI said the developer collected and resold access to compromised accounts, which widened the reach of the scheme.
WHY IT MATTERS
The takedown removes a tool that investigators say helped cybercriminals bypass account defenses and monetize stolen access. It also shows how phishing kits can persist across different channels even after a marketplace shuts down.