Nigeria Arrests RaccoonO365 Phishing Developer in Global Crackdown on Microsoft 365 Attacks

Nigerian authorities have dismantled a sophisticated phishing operation with the arrest of three suspects, including the principal developer behind the RaccoonO365 phishing-as-a-service platform that has compromised thousands of Microsoft 365 accounts worldwide. The operation, which stretched across multiple continents, exemplifies the growing challenge of transnational cybercrime and the coordinated law enforcement response required to combat it.

The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) identified Okitipi Samuel, operating under the alias Moses Felix, as the mastermind who developed and maintained the phishing infrastructure that enabled criminals to harvest corporate credentials at scale. The arrests, conducted in Lagos and Edo states, resulted from a joint investigation with Microsoft and the Federal Bureau of Investigation.

Background and Context

The RaccoonO365 scheme represents a disturbing evolution in cybercrime, moving beyond individual hacking efforts to a service-based model that lowers the technical barriers for criminal actors. Tracked by Microsoft as Storm-2246, the operation leveraged Cloudflare's infrastructure to host fraudulent login pages that convincingly mimicked Microsoft 365 authentication portals, according to Microsoft's security researchers.

Between July 2024 and September 2025, the phishing infrastructure is estimated to have compromised at least 5,000 Microsoft credentials across 94 countries, targeting corporate, financial, and educational institutions. The sheer scale of the operation highlights how modern cybercrime has become industrialized, with specialized developers creating tools that enable widespread fraud.

Key Figures and Entities

According to official statements from the NPF–NCCC, Okitipi Samuel operated a Telegram channel where he sold phishing links in exchange for cryptocurrency, creating a business model around criminal infrastructure. The investigation revealed that Samuel and his associates used stolen or fraudulently obtained email credentials to maintain their operation, demonstrating the recursive nature of credential theft in modern cybercrime.

Two other individuals were arrested in connection with the case, though authorities have stated they had no involvement in creating or operating the PhaaS service. Meanwhile, a civil lawsuit filed by Microsoft and the Health-ISAC in September 2025 names Joshua Ogundipe as the alleged mastermind of a related operation, though his current whereabouts remain unknown, according to court documents reviewed by investigators.

Legal and Financial Mechanisms

The RaccoonO365 operation exemplified how modern cybercriminals exploit legitimate services and infrastructures for illicit purposes. According to law enforcement findings, the operation hosted fraudulent login pages on Cloudflare using compromised credentials, effectively laundering criminal activity through legitimate web services. This method of operation complicates detection and enforcement, as malicious content becomes interwoven with legitimate internet traffic.

Financial flows were conducted through cryptocurrency transactions, providing anonymity and making the tracing of proceeds challenging for investigators. The civil lawsuit against Ogundipe and others alleges that the stolen data was used to fuel additional criminal activities, including business email compromise, financial fraud, and ransomware attacks, creating a multiplier effect from the initial credential theft.

International Implications and Policy Response

The RaccoonO365 case occurs alongside broader enforcement actions against PhaaS operations globally. Google has filed lawsuits against operators of the Darcula PhaaS service, naming Chinese national Yucheng Chang as the group's leader, and has also taken action against China-based hackers associated with the Lighthouse PhaaS service, which reportedly impacted over 1 million users across 120 countries.

These coordinated actions reflect a growing recognition among technology companies and law enforcement agencies that PhaaS platforms represent a systemic threat to digital security. The involvement of international partners like the FBI demonstrates the necessity of cross-border cooperation in combating cybercrime that transcends national boundaries. However, the continued emergence of similar services highlights the ongoing challenges in disrupting criminal business models that can quickly adapt to enforcement actions.

Sources

This report draws on statements from the Nigeria Police Force National Cybercrime Centre, Microsoft security reports, and civil court filings from the September 2025 lawsuit filed by Microsoft and Health-ISAC. Additional context was provided by law enforcement documents and cybersecurity industry analysis of PhaaS operations between 2024 and 2025.