INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Phishing Operation Targets Millions via Zero-Day Exploit
| 2026-04-13 10:35 LOW MEDIUMExecutive Summary AI-generated
The US and Indonesian law enforcement authorities have taken down a large-scale phishing network that has plotted over $20 million in fraud. The operation, dubbed W3LL, was spearheaded by the FBI Atlanta field office and targeted a phishing kit known as W3LL.store, which enabled cybercriminals to impersonate legitimate login pages and trick victims into handing over their usernames and passwords. The FBI seized the w3ll.store domain and identified its alleged developer, publicly referred to as 'G.L.', who had been operating since at least 2017. Researchers from cybersecurity firm Group-IB had previously reported that the threat actor behind W3LL had been in operation for several years, selling a custom tool called the W3LL SMTP Sender - a key component of the phishing kit. The malicious actor later started selling a phishing kit for Microsoft 365 accounts and opened the W3LL Store marketplace, which was active between 2019 and 2023. This complex phishing ecosystem had linked to over 850 phishing sites during the same period, making it stand out from other underground markets.
Technical Mitigations AI-generated
• Implement robust security measures to prevent phishing kits from being sold on members-only online marketplaces, such as W3LL Store.
• Regularly monitor and audit third-party vendors and platforms for potential vulnerabilities or suspicious activity that could be exploited by cybercriminals.
• Develop and enforce strict policies and procedures for identifying and reporting suspected phishing operations, including the use of AI-powered tools to detect malicious emails.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation W3LLOperation W3LL
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
at least 2017
Threat actors used a custom SMTP sender tool, W3LL, to target victims since at least 2017.
Click on any entity below to view its context and source!
tactic
Phishing
In
a September 2023 report
, the firm’s researchers claimed the threat actor behind the phishing operation had been operating since at least 2017, when it began selling the W3LL SMTP Sender – a custom tool for sending email spam.
September 2023
Phishing actors used the W3LL Store to target Microsoft 365 users, selling a phishing kit that was linked to over 850 compromised websites.
Click on any entity below to view its context and source!
tactic
Phishing
In
a September 2023 report
, the firm’s researchers claimed the threat actor behind the phishing operation had been operating since at least 2017, when it began selling the W3LL SMTP Sender – a custom tool for sending email spam.
infrastructure
Microsoft 365
The malicious actor later started selling a phishing kit for Microsoft 365 accounts and subsequently opened the W3LL Store.
organisation
Microsoft
The malicious actor later started selling a phishing kit for Microsoft 365 accounts and subsequently opened the W3LL Store.
organisation
Group-IB
Group-IB noted that what made the W3LL Store and its products stand out from other underground markets is that the threat actor created not just a marketplace but a complex
phishing ecosystem
.
organisation
Group
At the time the report was published, Group-IB observed that that the marketplace had over 500 active users and more than 12,000 items listed for sale.
victims
500 active users
At the time the report was published, Group-IB observed that that the marketplace had over 500 active users and more than 12,000 items listed for sale.
organisation
the W3LL Store
Researchers estimated the W3LL Store had generated $500,000 for the actor over a 10-month period.
financial
$500,000 Store
Researchers estimated the W3LL Store had generated $500,000 for the actor over a 10-month period.
between 2019 and 2023
Threat actors used the FBI Disrupt & Debrief tool to target and dismantle a $20m phishing operation on W3LL Store, an online marketplace active between 2019 and 2023.
Between 2023 and 2025
Threat actors used the FBI's W3LL tool to target approximately 17,000 victims worldwide between 2023 and 2025.
Click on any entity below to view its context and source!
victims
17,000 victims
Between 2023 and 2025, W3LL may have been used to target more than 17,000 victims worldwide.
2026/04/13
The FBI dismantled a $20m phishing operation called W3LL, which was facilitated by the marketplace and targeted over 25,000 compromised accounts.
Click on any entity below to view its context and source!
financial
$20 network
US and Indonesian law enforcement authorities have taken down a large-scale phishing network that has plotted over $20 million in fraud.
FBI Dismantles $20m Phishing Operation W3LL.
organisation
Fox 5 Atlanta
According to
Fox 5 Atlanta
, investigators believe the marketplace facilitated the sale of more than 25,000 compromised accounts until its closure in 2023.
Tactical Metrics
Metrics
financial
20,000,000
Network
Click for context!
US and Indonesian law enforcement authorities have taken down a large-scale phishing network that has plotted over $20 million in fraud.
FBI Dismantles $20m Phishing Operation W3LL.
Metrics
infrastructure
Microsoft 365
Affected Product
The malicious actor later started selling a phishing kit for Microsoft 365 accounts and subsequently opened the W3LL Store.
Metrics
victims
17,000
Victims
Between 2023 and 2025, W3LL may have been used to target more than 17,000 victims worldwide.
Metrics
victims
500
Active Users
At the time the report was published, Group-IB observed that that the marketplace had over 500 active users and more than 12,000 items listed for sale.
Metrics
financial
500,000
Store
Researchers estimated the W3LL Store had generated $500,000 for the actor over a 10-month period.
Intelligence Sources
Infosecurity-Magazine
2026-04-13
FBI Dismantles $20m Phishing Operation W3LL
Infosecurity-Magazine
Infosecurity-Magazine
2026-04-13
FBI Dismantles $20m Phishing Operation W3LL
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:34
Comprehensive Tactical Telemetry
Highly Correlated Entities
6x
timeline
Temporal Reference
2023
date
5x
organisation
Identified Entity
Microsoft
entity
3x
attribution
Attributing Entity
FBI
authority
2x
target region
Target Country
United States
country
2x
tactic
Cyber Operation Type
Phishing
tactic
Contextual Telemetry
Context Block
12 METRICS
financial
Network
20,000,000
network
campaign
Campaign
Operation W3LL
operation
tactic
MITRE ATT&CK Technique
T1566 - Phishing
technique
infrastructure
Affected Product
Microsoft 365
software
general metric
Accounts
365
accounts
general metric
Phishing Sites
850
phishing sites
general metric
Atlanta
5
atlanta
general metric
Compromised Accounts
25,000
compromised accounts
victims
Victims
17,000
victims
victims
Active Users
500
active users
general metric
Items
12,000
items
financial
Store
500,000
store
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.