FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts

FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts

The U.S. Federal Bureau of Investigation (FBI), in partnership with the Indonesian National Police, has dismantled the infrastructure associated with a global phishing operation that leveraged an off-the-shelf toolkit called W3LL to steal thousands of victims’ account credentials and attempt more than $20 million in fraud. 🚨

In tandem, authorities detained the alleged developer, identified as G.L, and seized key domains linked to the phishing scheme. “The takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims’ accounts,” the FBI stated. The W3LL phishing kit allowed criminals to mimic legitimate login pages to deceive victims into handing over their credentials, thus allowing the attackers to seize control of their accounts. The phishing kit was advertised for a fee of about $500.

A Full-Service Cybercrime Platform

“This wasn’t just phishing - it was a full-service cybercrime platform,” said FBI Atlanta Special Agent in Charge Marlo Graham. W3LL was first documented by Singapore-headquartered Group-IB in September 2023, highlighting the operators’ use of an underground marketplace called the W3LL Store that served approximately 500 threat actors and allowed them to purchase access to the W3LL Panel phishing kit alongside other cybercrime tools for business email compromise (BEC) attacks.

The cybersecurity company described W3LL as an all-in-one phishing platform that offers a wide range of services, right from custom phishing tools and mailing lists to access to compromised servers. The threat actor behind the illicit service is believed to have been active since 2017, previously developing bulk email spam tools like PunnySender and W3LL Sender.

Sale of Stolen Credentials

Per the FBI, the W3LL Store also facilitated the sale of stolen credentials and unauthorized system access, including remote desktop connections. More than 25,000 compromised accounts are estimated to have been peddled in the storefront between 2019 and 2023. “Primarily focused on Microsoft 365 credentials, W3LL utilizes adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication,” Hunt.io reported in March 2024.

Even after W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed. From 2023 to 2024 alone, the phishing kit was used to target more than 17,000 victims worldwide. “The developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme.” 🔒

For more details, check out the full article: Read full article