bleepingcomputer.com
By Bill Toulas
December 19, 2025
The Nigerian police have arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing-as-a-service.
The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide.
The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI.
The authorities identified individuals who administered the phishing toolkit ‘Raccoon0365,’ which automated the creation of fake Microsoft login pages for credential theft.
The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September.
It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria.
BleepingComputer contacted Microsoft for clarifications but a comment wasn't immediately available.
“Acting on precise and actionable intelligence, NPF–NCCC operatives were deployed to Lagos and Edo States, leading to the arrest of three suspects,” reads the police’s announcement.
“Search operations conducted at their residences resulted in the recovery of laptops, mobile devices, and other digital equipment, which have been linked to the fraudulent scheme after forensic analysis.”
One of the arrested suspects is an individual named Okitipi Samuel, also known online as “RaccoonO365” and “Moses Felix,” whom the police believe is the developer of the phishing platform.
Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials.
The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months.
Cloudflare estimates that the service is used primarily by Russia-based cybercriminals.
Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation.
The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.
bleepingcomputer.com
Microsoft and Cloudflare have disrupted a massive Phishing-as-a-Service (PhaaS) operation, known as RaccoonO365, that helped cybercriminals steal thousands of Microsoft 365 credentials.
In early September 2025, in coordination with Cloudflare's Cloudforce One and Trust and Safety teams, Microsoft's Digital Crimes Unit (DCU) disrupted the cybercrime operation by seizing 338 websites and Worker accounts linked to RaccoonO365.
The cybercrime group behind this service (also tracked by Microsoft as Storm-2246) has stolen at least 5,000 Microsoft credentials from 94 countries since at least July 2024, using RaccoonO365 phishing kits that bundled CAPTCHA pages and anti-bot techniques to appear legitimate and evade analysis.
For instance, a large-scale RaccoonO365 tax-themed phishing campaign targeted over 2,300 organizations in the United States in April 2025, but these phishing kits have also been deployed in attacks against more than 20 U.S. healthcare organizations.
The credentials, cookies, and other data stolen from victims' OneDrive, SharePoint, and email accounts were later employed in financial fraud attempts, extortion attacks, or as initial access to other victims' systems.
"This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals," said Steven Masada, Assistant General Counsel for Microsoft's Digital Crimes Unit.
"In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients."
RaccoonO365 has been renting subscription-based phishing kits through a private Telegram channel, which had over 840 members as of August 25, 2025. The prices ranged from $355 for a 30-day plan to $999 for a 90-day subscription, all paid in USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC) cryptocurrency.
Microsoft estimated that the group has received at least $100,000 in cryptocurrency payments so far, suggesting there are approximately 100 to 200 subscriptions; however, the actual number of subscriptions sold is likely much higher.
During its investigation, the Microsoft DCU also found that the leader of RaccoonO365 is Joshua Ogundipe, who lives in Nigeria.
Cloudflare also believes that RaccoonO365 also collaborates with Russian-speaking cybercriminals, given the use of Russian in its Telegram bot's name.
"Based on Microsoft's analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code," Masada added.
"An operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU's attribution and understanding of their operations. A criminal referral for Ogundipe has been sent to international law enforcement."
In May, Microsoft also seized 2,300 domains in a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer.
Research into a global phishing-as-a-service operation will take you through:
Hundreds of thousands of victims spanning the globe
A glimpse into the lifestyle of the operators
Technical insight into the phishing toolkit
The backend of a phishing threat actor operating at scale
The scam industry has seen explosive growth over the past several years. The types of scams and methods used are constantly evolving as scammers adapt their techniques to continue their activities. They often capitalise on new technologies and target areas where our societies have yet to build mechanisms to protect themselves.
This story begins in December 2023 when people all over the world – including a large portion of the Norwegian population - started to receive text messages about packages waiting for them at the post office. The messages would come in the form of an SMS, iMessage or RCS message. What we were witnessing was the rise of a scam technique known as smishing or SMS phishing.
Such messages have one thing in common: they impersonate a brand that we trust to create a credible context for soliciting some kind of personal information, thus tricking us into willfully giving away our information.
Some scams are easier to spot than others. Spelling errors, poor translations, strange numbers or links to sketchy domains often give them away. But even tell-tale signs can be easy to miss on a busy day. When a large number of people are targeted, some will be expecting a package. And the tactic is obviously working. If it wasn’t worth their while, the scammers wouldn’t have invested so much time, money and effort.
Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects. This includes the arrest of 4 individuals in the United Kingdom linked to the running of the site, including the original developer of the service.The LabHost platform, previously available on the open web, has been...
A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar
Discover Mamba 2FA, a previously unknown adversary-in-the-middle (AiTM) phishing kit and sold as phishing-as-a-service (PhaaS).
On Thursday, April 18, 2024, the UK’s Metropolitan Police Service, along with fellow UK and international law enforcement, as well as several trusted private industry partners, conducted an operation that succeeded in taking down the Phishing-as-a-Service (PhaaS) provider LabHost. This move was also timed to coincide with a number of key arrests related to this operation. In this entry, we will briefly explain what LabHost was, how it affected its victims, and the impact of this law enforcement operation — including the assistance provided by Trend Micro.
Chinese-language Phishing-as-a-Service platform ‘darcula’ targets organizations in 100+ countries with sophisticated techniques using more than 20,000 phish ...
A joint operation between Interpol and cybersecurity firms has led to an arrest and shutdown of the notorious 16shop phishing-as-a-service (PhaaS) platform.
Bad actors are using a shared Phishing-as-a-Service platform called “Caffeine”.
Following the recent Twilio hack leading to the leakage of 2FA (OTP) codes, cybercriminals continue to upgrade their attack arsenal to orchestrate advanced phishing campaigns targeting users worldwide. Resecurity has recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. On some sources the alternative name is Moloch, which has some connection to a phishing-kit developed by several notable underground actors who targeted the financial institutions and e-commerce sector before.
