W3LL-CRAFTED EMAILS: Inside a secret phishing ecosystem

4 min readSep 19


Business email compromise (BEC) is big: the second-largest cybercriminal threat in fact, with losses totaling $2.7 billion in the US alone. And one threat actor, in particular, has played a massive role in driving BEC attacks worldwide. Their alias is W3LL, and they created an entire secret ecosystem of phishing tools helping threat actors break into corporate Microsoft 365 accounts. Group-IB believes that the damages caused by threat actors using W3LL’s tools are in the thousands, if not millions, of euros per victim.

Secret store

W3LL’s operations remained hidden for six years but have now been uncovered by Group-IB in its recent report called W3LL DONE: HIDDEN PHISHING ECOSYSTEM DRIVING BEC ATTACKS. Below is an insight into W3LL’s activity.

Figure 1. W3LL’s Telegram message about one of their tools
Figure 1. W3LL’s Telegram message about one of their tools

As you can see, W3LL is very secretive. They run an invitation-only illicit online marketplace called W3LL Store, which they do not actively advertise, and they even ask their customers to refrain from spreading the word about it. In order to become a W3LL Store customer, new users need to be referred by existing users.

W3LL Store offers managed phishing solutions for criminals of any level of skill who want to carry out BEC phishing campaigns: compromised email accounts, lists of victim emails, access to compromised servers and websites, custom phishing lures, VPN accounts, phishing kits, and more, in other words, everything one might need to carry out a BEC phishing campaign. According to our conservative estimates, W3LL Store’s turnover for the last 10 months may have reached $500,000.

Figure 2. Main page of W3LL Store

W3LL Store provides “customer support” through a ticketing system, live web chat, and video tutorials. At present, it has more than 500 active users. Group-IB identified over 3,800 items sold via the marketplace between October 2022 and July 2023; over 12,000 items are currently on sale.

The Arsenal

The heaviest weapon on W3LL Store is W3LL Panel, arguably the most advanced phishing kit in its class designed to specifically harvest Microsoft 365 accounts, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities. A subscription to the phishing kit costs $500 for the first three months and $150 per month subsequently.

In addition to W3LL Panel, the store offers 16 other fully customized tools entirely compatible with each other that all together constitute a complete setup for BEC attacks. They include an open redirect scanner called OREDIR, a vulnerability scanner called OKELO, SMTP senders (PunnySender and W3LL Sender), and a malicious link stager (W3LL Redirect). The tools are available on a licensing basis and cost between $50 and $350 per month. This is what a W3LL Store purchase page looks like (OV6 is W3LL Panel).

Figure 3. W3LL Store tool purchase page

W3LL regularly updates their tools, adding new functionalities and improving anti-detection mechanisms. They also create new ones. For instance, in July 2023, W3LL released CONTOOL, a program for automating Microsoft 365 account discovery and monitoring designed specifically for BEC attacks. CONTOOL costs $550 for the first three months and $200 per month subsequently.

The impact

Phishing campaigns involving W3LL tools are highly persuasive and usually cover almost the entire kill chain of BEC attacks with a high level of automation and scalability. Once threat actors compromise an account, they can steal data, carry out fake invoice scams, impersonate the account owner, or distribute malware using the compromised email account. Consequences for victim companies extend beyond financial losses and can include data leaks, reputational damage, compensation claims, and even lawsuits.

Figure 4. Example of a W3LL phishing email

Group-IB identified approximately 850 unique phishing websites attributed to W3LL Panel, with at least 56,000 corporate Microsoft 365 business accounts targeted (more than 8,000 of them compromised) between October 2022 and July 2023, but the actual impact and number of victims could be even higher.

While W3LL tools are designed to target companies regardless of their origin, most of the identified targets are organizations in the US, UK, Australia, and Europe (Germany, France, Italy, Switzerland, and the Netherlands), and the most frequently targeted industries identified by Group-IB are manufacturing, IT, financial services, consulting, healthcare, and legal services.

Figure 5. Breakdown of victims

“What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost the entire kill chain of BEC and can be used by cybercriminals of all technical skill levels.”

Anton Ushakov, Deputy Head of Group-IB’s High-Tech Crime Investigation Department, Europe.

We’ve barely scratched the surface here. If you’d like to learn more, see our report W3LL DONE: HIDDEN PHISHING ECOSYSTEM DRIVING BEC ATTACKS, where in addition to the wealth of information about W3LL we provide recommendations on what companies can do to prevent and investigate BEC attacks.

Stay cybersafe, everyone!