Authorities in Nigeria have announced the arrest of three individuals accused of involvement in extensive phishing attacks targeting major corporations. The operation, which disrupted the RaccoonO365 phishing-as-a-service (PhaaS) scheme, marks a significant success for law enforcement in combating online fraud.
The Nigeria Police Force National Cybercrime Centre (NPF–NCCC), in collaboration with Microsoft and the Federal Bureau of Investigation (FBI), identified Okitipi Samuel, also known as Moses Felix, as the primary suspect. Samuel is alleged to have developed the phishing infrastructure and operated a Telegram channel for selling phishing links in exchange for cryptocurrency.
Nigerian Authorities Disrupt RaccoonO365 Phishing Network
The NPF–NCCC stated that Samuel hosted fraudulent login portals on Cloudflare, utilizing stolen or fraudulently obtained email credentials. The arrests followed search operations at the suspects’ residences, where laptops, mobile devices, and other digital equipment were seized. The NPF clarified that the two other individuals arrested were not involved in the creation or operation of the RaccoonO365 PhaaS service itself.
RaccoonO365, recognized by Microsoft as Storm-2246, is a financially motivated threat group known for its phishing-as-a-service toolkit. This toolkit allows cybercriminals to conduct credential harvesting by deploying phishing pages that closely mimic legitimate Microsoft 365 login pages. In September 2025, Microsoft and Cloudflare collaborated to seize 338 domains linked to RaccoonO365. The infrastructure is estimated to have compromised at least 5,000 Microsoft credentials from 94 countries since July 2024.
Investigations revealed that the RaccoonO365 infrastructure was used to establish fake Microsoft login portals. The objective was to steal user credentials and gain unauthorized access to email platforms within corporate, financial, and educational institutions. The joint probe uncovered numerous instances of unauthorized Microsoft 365 account access between January and September 2025, originating from phishing messages designed to appear as legitimate Microsoft authentication pages.
These malicious activities resulted in significant consequences, including business email compromise (BEC) schemes, data breaches, and substantial financial losses across various jurisdictions, according to the NPF. The stolen information is then exploited to facilitate further cybercrimes, such as identity theft and financial fraud.
Civil Litigation and Broader PhaaS Crackdown
In September, Microsoft and the Health-ISAC initiated a civil lawsuit against Joshua Ogundipe and four unidentified individuals. The lawsuit accuses the defendants of operating a cybercriminal enterprise by selling, distributing, purchasing, and implementing the RaccoonO365 phishing kit to enable sophisticated spear-phishing campaigns and the exfiltration of sensitive information. Such stolen data fuels further criminal activities, including ransomware attacks and intellectual property violations.
This development occurs amidst broader efforts to dismantle PhaaS operations. Google recently filed a lawsuit against the operators of the Darcula PhaaS service, identifying Chinese national Yucheng Chang as a key leader along with 24 other alleged members. Google is seeking a court order to seize the group’s server infrastructure, which has been implicated in widespread smishing campaigns impersonating U.S. government entities. News of this lawsuit emerged on December 17, 2025, following a similar legal action by Google in October against China-based hackers associated with the Lighthouse PhaaS service, which reportedly affected over a million users globally.
The NPF’s announcement signals continued international cooperation in targeting cybercrime syndicates. The full extent of the recovered data and the identities of all individuals involved in the RaccoonO365 operation remain under investigation. Future developments will likely focus on the prosecution of those arrested and the ongoing efforts to dismantle similar phishing-as-a-service operations globally.