What Is W3LL Panel?

W3LL Panel is an advanced, closed-access Phishing-as-a-Service (PhaaS) platform featuring Adversary-in-the-Middle (AiTM) functionality, custom API capabilities, source code protection, and exclusive access controls. Operated by a threat actor group investigated by Group-IB, the W3LL Panel served a closed community of at least 500 threat actors between October 2022 and July 2023. The platform specifically targeted Microsoft 365 business accounts and was distributed through an exclusive underground marketplace called "W3LL Store." W3LL Panel is documented as one of the most advanced phishing kits in its operational class.

How Does W3LL Panel Work?

W3LL Panel operates as a reverse proxy positioned between victims and legitimate Microsoft 365 services, intercepting all authentication traffic according to Group-IB and The Hacker News.

Authentication relay and MFA bypass follows six steps. Credential interception captures username and password on phishing page. MFA detection queries target account to detect MFA status. MFA code interception prompts victim for authentication codes from SMS, TOTP, or push notification when MFA is enabled. Real-time relay simultaneously relays captured credentials and MFA codes to legitimate Microsoft 365 service. Session token extraction captures valid authentication tokens and session cookies. Full account access provides attacker with complete account control without victim awareness.

API integration and automation includes Microsoft 365 API integration with direct integration with Microsoft APIs for advanced authentication manipulation. Custom API development uses source code protection enabling custom API implementations not available in standard PhaaS offerings. Credential verification performs real-time validation against Microsoft 365 backend.

Customization and configuration provides custom branding cloning of target organization logos, colors, and styling. Template engineering creates highly sophisticated phishing page templates mimicking legitimate M365 interface. Campaign management provides backend infrastructure for managing multiple concurrent campaigns.

Closed ecosystem model operates with private access only accessible to approved threat actors in the closed W3LL Store. Reputation-based access determines community standing for access to premium features. Exclusive infrastructure provides dedicated servers and domains not shared with untrusted actors. Support and maintenance includes active operator support and tool maintenance for premium members.

How Does W3LL Panel Compare to Other Platforms?

Against Tycoon 2FA, W3LL Panel is a closed ecosystem with 500 members and approximately $500k annual revenue from October 2022 through July 2023, while Tycoon 2FA is open PhaaS with higher volume of users ranked #1 in 2024-2025. Feature parity shows both offer AiTM plus MFA bypass with W3LL having more exclusive and premium positioning. Compared to EvilProxy, W3LL Panel has closed access with Microsoft 365-specific focus and shorter operational history documented from 2022, while EvilProxy has open access, multi-service support, longer operational history, and higher public profile. Against Greatness, W3LL Panel is closed premium tier PhaaS with estimated $500k revenue and 500 members, while Greatness is open PhaaS at $120/month pricing with lower technical barrier and higher volume of campaigns. Target profile shows W3LL operators are more sophisticated and selective while Greatness targets spray-and-pray volume. Compared to Evilginx, Evilginx is an open-source framework requiring technical setup with no licensing or subscription, while W3LL Panel is fully managed commercial service with closed and exclusive access plus premium support.

Top PhaaS Threat Actors Comparison 2023 Activity: W3LL Panel with 500 members, 56,000+ targets, 8,000+ compromised, $500k profit October 2022 through July 2023; Tycoon 2FA with higher volume currently ranked #1 in 2024-2025; Dadsec with highest phishing volumes in 2023 now rebranded as Phoenix; Greatness as lower-cost alternative with higher volume of less-sophisticated campaigns.

Why Does W3LL Panel Matter?

Discovery period from October 2022 through July 2023 represents confirmed operational period documented by Group-IB. Member base included at least 500 threat actors in closed community. Target scope reached 56,000+ corporate Microsoft 365 accounts targeted across 10 countries. Confirmed compromises totaled at least 8,000 Microsoft 365 accounts successfully compromised. Phishing infrastructure included 850+ unique phishing websites identified.

Revenue and business model generated estimated $500,000 USD in illicit profits from October 2022 through July 2023. Business structure operated as closed marketplace W3LL Store with exclusive access. Member tiers used reputation-based access levels with premium members getting priority features. Affiliate model enabled operators to sell W3LL Panel access to qualified threat actors.

Geographic targeting focused on primary targets in United States, United Kingdom, Australia, Germany, Canada, France, Netherlands, Switzerland, and Italy. Industry targeting compromised multiple sectors including manufacturing, IT and technology services, consulting services, financial services, healthcare, and legal services.

Competitive positioning in 2023 ranked as one of the most advanced phishing kits in operational class. Exclusive and premium positioning differentiated from open-market PhaaS offerings. Higher average revenue per user than mass-market alternatives. More sophisticated membership base attracted to advanced features.

What Are the Limitations of W3LL Panel?

Operational visibility means closed ecosystem still requires communication infrastructure, payment channels, and hosting, all tracked by law enforcement and researchers. Reputation system vulnerability shows closed communities depend on trust with infiltration by law enforcement or competitors as high-risk vector. Payment traceability sees cryptocurrency payments for membership and campaign setup create blockchain analysis opportunities. Hosting infrastructure shows even closed ecosystem requires servers with ISP takedowns and domain seizures impacting operations. API dependency means reliance on Microsoft 365 APIs with API changes and hardening directly impacting effectiveness. Staffing and maintenance requires supporting 500 members with significant operational overhead and expertise. Member attrition occurs as some members inevitably captured, turned by law enforcement, or move to competitor platforms. Legal pressure makes it high-value target for law enforcement and intelligence agencies including FBI and Europol. Session token shelf-life means stolen tokens have limited lifetime requiring rapid exploitation by members.

How Can Organizations Defend Against W3LL Panel?

Detection and threat intelligence monitors known W3LL Panel C2 domains and IP ranges, tracks compromised accounts and links to W3LL Panel campaigns, looks for artifacts in compromised mailboxes including forwarding rules, OAuth grants, and unusual access patterns, subscribes to breach notifications and threat feeds monitoring W3LL activity, and coordinates takedown with law enforcement and hosting providers to remove phishing infrastructure.

Email and authentication security implements DKIM/SPF/DMARC for strict email authentication to prevent domain spoofing, deploys Microsoft Defender for Office 365 Advanced Threat Protection, uses URL rewriting for safe links scanning and detonation, enforces phishing-resistant MFA with hardware security keys or Windows Hello/FIDO2 authenticators, and migrates to passwordless authentication moving to passwordless sign-in methods that validate service origin.

Microsoft 365 hardening deploys conditional access policies flagging impossible travel, unusual locations, and new device access. Risk-based authentication uses Microsoft's risk-based sign-in policies. Session timeout enforces aggressive session timeout at 30 minutes for sensitive accounts. Email forwarding rules monitor and restrict email forwarding rule creation. OAuth consent governance blocks dangerous OAuth consents and audits existing permissions. Admin account protection uses dedicated admin accounts with enhanced MFA and no internet access. Privileged access workstations deploy isolated devices for admin access.

Incident response and forensics implements immediate credential reset for any potentially compromised accounts, terminates all active sessions for affected users, reviews mailbox access logs, forwarding rules, and OAuth grants, checks for lateral movement spread to other accounts or resources, reconstructs timeline to determine scope and duration of compromise, and reports to FBI or local law enforcement if compromise confirmed.