W3LL done: uncovering hidden phishing ecosystem driving BEC attacks
← Research Hub

W3LL done: uncovering hidden phishing ecosystem driving BEC attacks

Access untapped details into the scope and sophistication of the W3LL’s BEC-focused criminal enterprise


As Business Email Compromise (BEC) becomes more prevalent, Group-IB uncovers the developing tactics, tools, and infrastructure employed by specific threat groups orchestrating the attacks.

Discover the shift in attack strategies as adversaries evolve from low-skilled fraudsters to sophisticated criminal networks. With phishing remaining an integral intrusion vector in BEC attacks, this report delves into this trend using the case of the W3LL threat actor’s BEC-focused phishing operation.

Group-IB experts conducted a detailed analysis of the main trends in BEC, scrutinizing the W3LL phishing ecosystem, their underground marketplace, linear evolution, and how they compromise business email accounts utilizing W3LL tools. To counter this formidable threat, the report highlights concrete mitigation steps to prevent the incidence and impact of BEC attacks for various organizations.

Key Insights

The W3LL phishing tools ecosystem

W3LL enterprise is a private all-in-one ecosystem of phishing tools, specifically designed to compromise corporate email accounts. According to Group-IB’s rough estimates, W3LL’s Store’s turnover for the last 10 months may have reached $500,000.

Private club of threat actors

Around 500 individual threat actors of various proficiency in cybercrime are using extremely efficient W3LL tools to conduct BEC-focused phishing campaigns.

W3LL's primary weapon

W3LL Panel OV6 - a fully automated private phishing kit with adversary-in-the-middle technique is implemented, allowing criminals to bypass the benefits of 2FA.

Customizable attacks

As of August 2023, in addition to the W3LL Panel phishing kit, the marketplace offers 16 other fully customized tools covering almost the entire BEC kill chain, including SMTP senders, phishing kit, account discovery instruments, reconnaissance tools, and more for conducting complex and highly effective BEC phishing campaigns.

Targeted regions and sectors

W3LL phishing tool kit is being used in attacks all over the world - with over 56,000 corporate Microsoft 365 accounts targeted in the USA, UK, Australia, and Europe between October 2022 and July 2023. Industries frequently affected include manufacturing, IT, financial services, consulting, healthcare, and legal services.

In this report

Emerging trends in BEC attacksEmerging trends in BEC attacks

Learn about the new techniques implemented by threat actors like adversary-in-the-middle phishing kits, phishing email attachments, advanced traffic filtering, etc, to improve the efficiency of their attacks.

Modern BEC toolsetModern BEC toolset

Know the full spectrum of unique tools used by well-organized criminal businesses to execute successful phishing operations.

The kill chain of recent BEC attacks The kill chain of recent BEC attacks

Learn about the attack schemes and tactics employed by threat actors to manipulate victims and compromise their corporate accounts.

Organization of the advanced cybercriminal groupOrganization of the advanced cybercriminal group

Gain insight into the structure of modern cybercrime communities and the factors that make their attacks most effective.

Protection and mitigation recommendationsProtection and mitigation recommendations

Arm yourself with the knowledge provided by Group-IB experts on efficient defense measures against BEC attacks, one of the most dangerous cyber threats in the world.

How does a BEC attack impact your organization?

Regardless of the scheme chosen by the threat actors, the overall impact on a company that has suffered a BEC attack is financial loss (from several thousand to several million euros), data leaks, reputational damage, claims for compensation, and even lawsuits.

Activate advanced protection against cyber threats

Group-IB’s security ecosystem provides comprehensive protection for your IT infrastructure based on our unique cyber intelligence and deep analysis of attacks and incident response.