Last week, the FBI and Indonesia’s National Police dismantled the W3LL phishing network, arresting the alleged developer and seizing the platform’s infrastructure. It was a meaningful enforcement milestone: the first coordinated action between American and Indonesian authorities targeting a phishing kit developer. But the headline about the arrest misses the more important story. The W3LL operation had already served over 500 threat actors, targeted more than 17,000 victims in 2023 and 2024 alone, and generated more than $20 million in fraud attempts. All of this, with a toolkit that any criminal could purchase for $500.
What W3LL was, and why it was different
W3LL was not a crude phishing kit. It was a full-service cybercrime platform built specifically to defeat the defences that most organisations rely on. The kit targeted Microsoft 365 corporate accounts using adversary-in-the-middle techniques: rather than simply stealing passwords, it captured authentication session tokens, allowing attackers to bypass multi-factor authentication entirely. Between October 2022 and July 2023 alone, W3LL compromised more than 56,000 corporate Microsoft 365 accounts across North America, Europe, and Australia.
The platform included 16 dedicated business email compromise tools, allowing threat actors to monitor compromised inboxes, create inbox rules to hide alerts, impersonate employees, and redirect payments through invoice fraud. The W3LLSTORE marketplace sold more than 25,000 compromised accounts between 2019 and 2023. When the storefront closed, the operation simply migrated to encrypted messaging platforms where the toolkit was rebranded and continued to sell.
That last detail is worth sitting with. A single developer, earning approximately $500,000 over ten months, built infrastructure sophisticated enough to outlast its own marketplace closure. The real lesson for Canadian organisations is not that one threat actor has been stopped. It is that the barriers to deploying professional-grade phishing attacks are now essentially zero for anyone motivated enough to spend $500.
Why multi-factor authentication is not enough on its own
Security teams have spent years pushing MFA as the antidote to credential theft. It is a meaningful control, and organisations without it are genuinely more exposed. But W3LL demonstrates what a determined, technically competent threat actor can do against MFA-enabled environments: capture the session token that exists after authentication, rather than the credentials themselves. The employee completes MFA normally. The attacker walks in behind them.
This is not a fringe capability. It is a documented feature of a $500 commercial toolkit that was available to hundreds of buyers. Organisations that have checked “MFA enabled” off their security checklist and moved on are operating on a threat model that no longer reflects reality. The gap between deploying a technical control and building genuine resilience runs directly through the human layer of defence that technology alone cannot provide, through whether employees recognise when something is wrong, report it quickly, and understand that attacks do not always announce themselves with obvious red flags.
In our work running phishing simulations across Canadian organisations, we consistently see click rates that drop fast in the first quarter of a program and then plateau. The plateau is where most programs fail, because the easy gains are gone and the hard work of behaviour change begins. A credential-harvesting page that perfectly replicates a Microsoft 365 login, served by a kit that costs less than a monthly mobile plan, is not the kind of threat that click-rate training is designed to defeat. What defeats it is a workforce that notices the unexpected, questions the slightly-wrong, and reports without hesitation.
Building the cybersecurity culture that technology cannot replace
The W3LL story is a useful framing for a conversation that security leaders in Canadian organisations often find difficult to have with their leadership: technology controls and cybersecurity culture are not substitutes for each other. They operate at different layers of the threat surface. MFA, email filtering, and endpoint detection address the technical layer. Security culture addresses the human layer, the one that W3LL was specifically engineered to exploit.
Building that culture means moving past annual click-through training and into something continuous, contextualised, and reinforced by realistic practice. Organisations that want to build genuine resilience against credential-harvesting attacks should be running realistic phishing simulations that put employees face-to-face with credential-harvesting pages, not just generic email lures, and then using those results to drive targeted coaching rather than compliance reports.
It also means measuring the right things. Click rates matter, but reporting rates matter more. An employee who recognises a W3LL-style fake login page and reports it immediately gives the security team the signal it needs to act before the session token is used. That reporting behaviour is the output of culture, not configuration. It comes from consistent reinforcement over time, from exercises that build the habit of suspicion and the reflex to report.
One thing your organisation can do this week
Review the last six months of your phishing simulation results and look specifically at the reporting rate, not just the click rate. If your team is clicking less but reporting at the same rate, you have reduced one symptom without addressing the underlying culture gap. That gap is what adversaries with $500 and a phishing kit are counting on.
