Group-IB followed the development of W3LL, a threat actor responsible for a phishing empire that has mostly gone unnoticed up until now. The Threat Intelligence and Cyber Investigations teams at Group-IB have uncovered that during the past six years, W3LL has been a significant contributor to the compromise of Microsoft 365 business email accounts.
W3LL Store
In Group-IB’s new threat report “W3LL DONE: HIDDEN PHISHING ECOSYSTEM DRIVING BEC ATTACKS”, they discovered that the threat actor established the W3LL Store a covert black market that catered to a closed community of at least 500 threat actors and sold 16 other fully customized tools for business email compromise (BEC) attacks, including attacks on Microsoft 365. In addition, the W3LL Store also sold a custom phishing kit called W3LL Panel, which circumvented MFA.
Between October 2022 and July 2023, over 56,000 corporate Microsoft 365 accounts in the USA, Australia, and Europewere targeted by W3LL’s phishing tools, according to Group-IB investigators. Rough calculations by Group-IB show thatW3LL’s Store’s turnover for the last 10 months may have reached $500,000.
Complex phishing ecosystem
“What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost the entire kill-chain of BEC and can be used by cybercriminals of all technical skill levels,” says Anton Ushakov, deputy head of Group-IB's High-Tech Crime Investigation Department, Europe.
Relevant law enforcement organisations have received all the data collected by Group-IB’s cyber investigators and threat intelligence teams about W3LL.