The Federal Bureau of Investigation (FBI) in the United States has joined forces with Indonesian authorities to dismantle the notorious phishing empire of W3LL. This marks the first collaborative effort between the United States and Indonesia to combat developers of phishing toolkits.
According to an announcement last Friday (April 10th) from the FBI’s Atlanta field office, they partnered with Indonesian law enforcement to dismantle a complex global phishing network known as W3LL. This network enabled cybercriminals to steal account credentials from thousands of victims and attempt fraud amounting to over 20 million dollars.
W3LL is a massive and relatively unknown phishing empire that primarily targets Microsoft 365 users with its attacks.
Marlo Graham, the head of the FBI’s Atlanta field office, pointed out that W3LL is not just about phishing but a comprehensive platform for cybercrime.
The core of this criminal activity, as stated by the FBI, revolved around the sale of W3LL phishing toolkits. This widely-used cybercrime tool allows criminals to impersonate legitimate login pages, tricking victims into handing over usernames and passwords.
For a fee of around $500, users could obtain the rights to use this phishing toolkit and deploy fake websites nearly identical to trusted login portals.
According to a report released by the cybersecurity firm Group-IB in 2023, W3LL operated discreetly and mysteriously, using a networking method akin to multi-level marketing to recruit individuals.
It was reported that newcomers wanting to purchase W3LL STORE phishing tools had to be recommended by existing members, with the referrer earning a 10% commission. Newcomers were required to make a deposit within three days, or their accounts would be deactivated.
Once victims entered their information on the phishing website, the toolkit not only captured credentials but also intercepted session data, enabling criminals to bypass two-factor authentication and continue accessing accounts.
After 2023, W3LL shut down its STORE but shifted its criminal activities to encrypted communication platforms, continuing to repackage phishing tools for sale.
Between 2023 and 2024, the number of global victims attacked by this phishing toolkit exceeded 17,000.
FBI investigators also discovered that the developers of this tool were collecting and reselling stolen account information, expanding the scope and impact of their criminal activities. From 2019 to 2023, over 25,000 records of stolen accounts were documented on the platform.
The FBI’s announcement mentioned that its Atlanta field office, with assistance from the Northern District of Georgia’s Federal Prosecutor’s Office, identified and seized the infrastructure used to carry out the phishing services.
On April 10th, in coordination with the Indonesian National Police, the FBI locally detained the suspected developer, G.L., and seized critical domain names associated with the operation. The FBI stated that this action cut off the main avenue through which cybercriminals illegally accessed victims’ accounts.