RaccoonO365 Phishing Developer Arrested in Nigeria Linked to Microsoft 365 Attacks -

Post Views: 164

“A RaccoonO365 phishing developer got caught in Nigeria, which was also linked to Microsoft 365 attacks.”

Three “high-profile internet fraud suspects” who are accused of participating in phishing assaults against large organizations, including the primary developer of the RaccoonO365 phishing-as-a-service (PhaaS) scheme, have been arrested by Nigerian authorities.

Nigeria Police Force National Cybercrime Centre (NPF–NCCC)

Okitipi Samuel, also known as Moses Felix, was identified as the main suspect and creator of the phishing infrastructure following investigations carried out in cooperation with Microsoft and the Federal Bureau of Investigation (FBI).

“According to investigations, he ran a Telegram channel where phishing URLs were sold for cryptocurrencies and used stolen or fraudulently obtained email credentials to host bogus Cloudflare login pages.”

Fraudulent Microsoft login portals were created utilizing RaccoonO365 with the intention of obtaining user credentials and using them to obtain unauthorized access to corporate, financial, and educational email platforms.

Between January and September 2025, several instances of unauthorized access to Microsoft 365 accounts were discovered by the joint investigation. These events were caused by phishing emails that were designed to look like real Microsoft authentication sites.

These actions resulted in data breaches, compromised company emails, and monetary losses in several nations.

Additionally, after search operations were carried out at their homes, laptops, mobile devices, and other digital equipment connected to the operation were seized. According to the NPF, the two other people who were arrested had nothing to do with the development or running of the PhaaS service.

A financially motivated threat organization known as RaccoonO365 is in charge of a PhaaS toolkit that allows malicious actors to carry out credential harvesting attacks by providing phishing sites that imitate Microsoft 365 login pages. The threat actor is being monitored by Microsoft under the name Storm-2246.

The IT behemoth said in September 2025 that it collaborated with Cloudflare to take control of 338 domains that RaccoonO365 was using. Since July 2024, at least 5,000 Microsoft credentials from 94 countries are thought to have been stolen thanks to the phishing infrastructure linked to the toolkit.

Joshua Ogundipe and four other John Does are accused of hosting a cybercrime operation by “selling, distributing, purchasing, and implementing” the phishing kit to enable sophisticated spear-phishing and siphon sensitive information, according to a civil lawsuit filed by Microsoft and Health-ISAC in September.

The stolen information is subsequently utilized to perpetrate other cybercrimes, such as financial theft, ransomware attacks, company email compromise, and intellectual property violations.

The development coincides with Google filing a lawsuit against the Darcula PhaaS service’s owners, naming Yucheng Chang, a Chinese national, as the group’s leader along with 24 other members. The business is requesting a court order to take control of the group’s server infrastructure, which has been the source of a significant smishing wave that has impersonated US federal agencies.

According to an investigation by the Norwegian Broadcasting Corporation (NRK) and cybersecurity firm Mnemonic, Darcula and accomplices are thought to have stolen approximately 900,000 credit card details, including nearly 40,000 from Americans. In July 2023, the Chinese-language phishing kit initially surfaced.

On December 17, 2025, NBC News broke the news of the case. This comes just over a month after Google filed a lawsuit against Chinese hackers connected to another PhaaS provider called Lighthouse, which is thought to have affected more than a million customers in 120 countries.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

A Fake Game Download Destroys a Singaporean Entrepreneur’s Whole Crypto Portfolio