The U.S. Federal Bureau of Investigation (FBI) and the Indonesian National Police have successfully disrupted a global phishing operation that relied on a commercially available toolkit known as W3LL. This initiative is reported to have facilitated the theft of account credentials from thousands of victims and aimed to defraud over $20 million.
Authorities announced the arrest of an individual suspected to be the developer of this malicious toolkit, identified as G.L. Critical domains related to the phishing campaign were also seized during the operation. “This takedown has significantly obstructed a vital resource for cybercriminals looking to unlawfully access victims’ accounts,” the FBI stated in a press release.
The W3LL phishing kit enabled perpetrators to create counterfeit login pages that closely resembled legitimate services, tricking unsuspecting users into disclosing their credentials. The kit was marketed for approximately $500, offering criminals the infrastructure needed to deploy these fraudulent sites effectively.
Characterized as more than just a phishing toolkit, the W3LL system functioned as a comprehensive cybercrime platform. “This was a full-service operation designed for cybercrime,” remarked Marlo Graham, Special Agent in Charge at the FBI Atlanta office. “We remain committed to working alongside domestic and international law enforcement to leverage all available resources to safeguard the public.”
The W3LL phishing kit was first identified by cybersecurity firm Group-IB in September 2023. Their report detailed its use within an underground marketplace named the W3LL Store, which catered to around 500 cybercriminals, providing access to the W3LL Panel phishing kit as well as other tools for executing business email compromise (BEC) attacks.
Group-IB characterized W3LL as an all-inclusive phishing platform offering a range of services, including custom phishing tools, mailing lists, and access to hacked servers. The operator behind this illicit service is believed to have been active since 2017, having previously developed bulk email spam tools.
According to the FBI, the W3LL Store also facilitated the trading of stolen credentials and unauthorized access to systems, including remote desktop connections. An estimated 25,000 stolen accounts were sold via this marketplace between 2019 and 2023.
Focusing particularly on Microsoft 365 credentials, W3LL employed Adversary-in-the-Middle (AitM) techniques to manipulate session cookies and circumvent multi-factor authentication. Security research published earlier this year pointed out that the W3LL architecture has even been repurposed for newer phishing kits, indicating its continual evolution and resilience.
A comprehensive analysis by Group-IB in April 2026 described the phishing ecosystem surrounding the W3LL Panel as being equipped with advanced capabilities to breach multi-factor authentication systems, specifically targeting enterprise Microsoft 365 accounts. Notably, the W3LL Panel was first detected in operational use in 2020, featuring a remote API endpoint for license verification.
The W3LL Store, emerging in 2018, acted as a cloaked marketplace for malware tools and grew into a robust platform supplying essential resources for phishing operations. It included utilities for reconnaissance, potential victim lists, and access to compromised mail servers, all intentionally obscured behind layers of anonymity.
This sophisticated infrastructure was bolstered by a network of Telegram groups where criminals shared their strategies and experiences. Group-IB’s investigations revealed the operator’s ties to hacktivism and their active engagement in coordinating cyber operations within their own community.
Following a short hiatus after the September 2023 report, the W3LL operation resurfaced under new branding, continuing to target victims globally with their phishing campaigns. “W3LL’s array of tools significantly empowered over 500 cybercriminals engaged in business email compromise activities worldwide,” concluded Group-IB.
(Note: Additional insights from Group-IB were included in the updated story after publication.)