US and Indonesian law enforcement authorities have taken down a large-scale phishing network that has plotted over $20 million in fraud.
Spearheaded by the FBI Atlanta field office, the operation targeted W3LL, a phishing kit which enables cybercriminals to impersonate legitimate login pages and trick victims into handing over their usernames and passwords. W3LL capabilities could be acquired for a fee of $500.
The kit was notably sold on ‘W3LL Store,’ a members-only online marketplace, which was active between 2019 and 2023.
According to Fox 5 Atlanta, investigators believe the marketplace facilitated the sale of more than 25,000 compromised accounts until its closure in 2023.
The phishing operation continued after the marketplace shut down via encrypted messaging apps. Between 2023 and 2025, W3LL may have been used to target more than 17,000 victims worldwide.
The FBI said it has seized the w3ll.store domain and identified its alleged developer, publicly referred to as ‘G.L.’
W3LL: A Complete Phishing Ecosystem for BEC Attacks
W3LL was first discovered in 2023 by cybersecurity firm Group-IB.
In a September 2023 report, the firm’s researchers claimed the threat actor behind the phishing operation had been operating since at least 2017, when it began selling the W3LL SMTP Sender – a custom tool for sending email spam.
The malicious actor later started selling a phishing kit for Microsoft 365 accounts and subsequently opened the W3LL Store.
At the time the report was published, Group-IB observed that that the marketplace had over 500 active users and more than 12,000 items listed for sale. Researchers estimated the W3LL Store had generated $500,000 for the actor over a 10-month period.
The researchers also assessed that the W3LL phishing kit had been linked to 850 phishing sites over the same reported period.
Group-IB noted that what made the W3LL Store and its products stand out from other underground markets is that the threat actor created not just a marketplace but a complex phishing ecosystem. The fully compatible custom toolset covered almost the entire kill chain of business email compromise (BEC) and could be used by cybercriminals of all technical skill levels.
