Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks - The Hacker News

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks Ravie LakshmananDec 19, 2025Cybercrime / Law Enforcement Authorities in Nigeria have announced the arrest of three "high-profile internet fraud suspects" who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with Microsoft and the Federal Bureau of Investigation (FBI) led to the identification of Okitipi Samuel, also known as Moses Felix, as the principal suspect and developer of the phishing infrastructure. "Investigations reveal that he operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials," the NPF said in a post shared on social media. In addition, laptops, mobile devices, and other digital equipment linked to the operation have been seized following search operations conducted at their residences. The two other arrested individuals have no connection to the creation or operation of the PhaaS service, per the NPF. The arrests were carried out following raids in Lagos and Edo states. RaccoonO365 is the name assigned to a financially motivated threat group behind a PhaaS toolkit that enables bad actors to conduct credential harvesting attacks by serving phishing pages mimicking Microsoft 365 login pages. Microsoft is tracking the threat actor under the moniker Storm-2246. Back in September 2025, the tech giant said it worked with Cloudflare to seize 338 domains used by RaccoonO365. The phishing infrastructure attributed to the toolkit is estimated to have led to the theft of at least 5,000 Microsoft credentials from 94 countries since July 2024. The NPF said RaccoonO365 was used to set up fraudulent Microsoft login portals aimed at stealing user credentials and using them to gain unlawful access to the email platforms of corporate, financial, and educational institutions. The joint probe has uncovered multiple incidents of unauthorized Microsoft 365 account access between January and September 2025 that originated from phishing messages crafted to mimic legitimate Microsoft authentication pages. These activities led to business email compromise, data breaches, and financial losses across multiple jurisdictions, the NPF added. A civil lawsuit filed by Microsoft and Health-ISAC in September has accused defendants Joshua Ogundipe and four other John Does of hosting a cybercriminal operation by "selling, distributing, purchasing, and implementing" the phishing kit to facilitate sophisticated spear-phishing and siphon sensitive information. The stolen data is then used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks, as well as commit intellectual property violations, the lawsuit alleged. The lawsuit also identified Ogundipe as the mastermind behind the operation. His present whereabouts are unclear. When reached for comment, a Microsoft spokesperson told The Hacker News that investigations are ongoing. The development comes as Google filed a lawsuit against the operators of the Darcula PhaaS service, naming Chinese national Yucheng Chang as the group's leader along with 24 other members. The company is seeking a court order to seize the group's server infrastructure that has been behind a massive smishing wave impersonating U.S. government entities. Darcula and associates are estimated to have stolen nearly 900,000 credit card numbers, including nearly 40,000 from Americans, according to an investigation from the Norwegian Broadcasting Corporation (NRK) and cybersecurity company Mnemonic. The Chinese-language phishing kit first emerged in July 2023. News of the lawsuit was first reported by NBC News on December 17, 2025. The development comes a little over a month after Google also sued China-based hackers associated with another PhaaS service known as Lighthouse that's believed to have impacted over 1 million users across 120 countries. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  business email compromise, CloudFlare, Cybercrime, cybersecurity, data breach, law enforcement, Microsoft 365, Phishing, ransomware Trending News New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Load More ▼ Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats