Nigerian Authorities Arrest RaccoonO365 Phishing Developer Behind Microsoft 365 Attacks
In a significant crackdown on cybercrime, Nigerian law enforcement has apprehended three individuals implicated in sophisticated phishing schemes targeting major corporations. Among those arrested is Okitipi Samuel, also known as Moses Felix, identified as the primary developer of the RaccoonO365 phishing-as-a-service (PhaaS) platform.
The Nigeria Police Force National Cybercrime Centre (NPF–NCCC), in collaboration with Microsoft and the Federal Bureau of Investigation (FBI), spearheaded the investigation leading to these arrests. According to the NPF, Samuel operated a Telegram channel where he sold phishing links in exchange for cryptocurrency. He also hosted fraudulent login portals on Cloudflare, utilizing stolen or fraudulently obtained email credentials to deceive unsuspecting users.
During the operation, authorities seized laptops, mobile devices, and other digital equipment linked to the illicit activities. The two other individuals arrested are not believed to be directly involved in the creation or operation of the PhaaS service but are under investigation for related offenses.
RaccoonO365 is a notorious PhaaS toolkit that enables cybercriminals to conduct credential harvesting attacks by deploying phishing pages that mimic Microsoft 365 login interfaces. Microsoft has been tracking this threat actor under the moniker Storm-2246. In September 2025, Microsoft, in partnership with Cloudflare, took decisive action by seizing 338 domains associated with RaccoonO365. This infrastructure is estimated to have facilitated the theft of at least 5,000 Microsoft credentials from 94 countries since July 2024.
The NPF detailed that RaccoonO365 was instrumental in setting up fraudulent Microsoft login portals designed to steal user credentials. These stolen credentials were then used to unlawfully access email platforms of corporate, financial, and educational institutions. The joint investigation uncovered multiple incidents of unauthorized Microsoft 365 account access between January and September 2025. These breaches originated from phishing messages crafted to resemble legitimate Microsoft authentication pages, leading to business email compromises, data breaches, and significant financial losses across various jurisdictions.
In a related development, Microsoft and Health-ISAC filed a civil lawsuit in September against individuals, including Joshua Ogundipe and four unidentified defendants. The lawsuit alleges that these individuals operated a cybercriminal enterprise by selling, distributing, purchasing, and implementing the phishing kit to facilitate sophisticated spear-phishing attacks and siphon sensitive information. The stolen data was reportedly used to fuel further cybercrimes, including business email compromise, financial fraud, ransomware attacks, and intellectual property violations.
This arrest underscores the growing threat posed by PhaaS platforms, which lower the barrier to entry for cybercriminals by providing ready-made phishing tools. The collaborative efforts between law enforcement agencies and private sector partners like Microsoft and Cloudflare highlight the importance of joint initiatives in combating cybercrime. These partnerships are crucial in dismantling complex cybercriminal networks and preventing further exploitation of individuals and organizations worldwide.
The case also brings to light the evolving nature of cyber threats and the need for continuous vigilance. As cybercriminals develop more sophisticated methods, it is imperative for organizations to implement robust cybersecurity measures, conduct regular security audits, and educate employees about the dangers of phishing attacks. Awareness and proactive defense strategies are key components in mitigating the risks associated with such cyber threats.
Furthermore, this development comes amid a broader crackdown on phishing-as-a-service operations. In a parallel action, Google filed a lawsuit against the operators of the Darcula PhaaS service, naming Chinese national Yucheng Chang as the group’s leader along with 24 other members. The lawsuit seeks a court order to seize the group’s server infrastructure, which has been implicated in a massive smishing campaign impersonating U.S. government entities. According to investigations, Darcula and its associates have stolen nearly 900,000 credit card numbers, including nearly 40,000 from Americans, since its emergence in July 2023.
These coordinated efforts by global law enforcement and technology companies signify a robust stance against the proliferation of phishing-as-a-service platforms. By targeting the developers and operators of these services, authorities aim to disrupt the supply chain of cybercrime tools, thereby reducing the incidence of phishing attacks and enhancing the overall security of digital ecosystems.
In conclusion, the arrest of Okitipi Samuel and his associates marks a significant victory in the fight against cybercrime. It serves as a reminder of the persistent threats posed by phishing schemes and the importance of collaborative efforts in safeguarding digital assets. Organizations and individuals alike must remain vigilant, adopt comprehensive security measures, and stay informed about emerging cyber threats to protect themselves in an increasingly digital world.
