Nigerian authorities announced the arrest of three “prominent internet fraud suspects” suspected of involvement in phishing attacks targeting major companies, including the main developer of the RaccoonO365 phishing-as-a-service (PhaaS) scheme.
The Nigeria Police National Cyber Crime Center (NPF-NCCC) said an investigation conducted in collaboration with Microsoft and the Federal Bureau of Investigation (FBI) identified Okitipi Samuel, also known as Moses Felix, as the main suspect and developer of the phishing infrastructure.
“The investigation revealed that he operated a Telegram channel selling phishing links in exchange for cryptocurrency and hosted a fraudulent login portal on Cloudflare using stolen or fraudulently obtained email credentials,” NPF said in a post shared on social media.
Additionally, search operations conducted at their residences resulted in the seizure of laptops, mobile devices, and other digital equipment related to the operation. According to the NPF, the other two arrested individuals had no connection to the creation or operation of the PhaaS service.
RaccoonO365 is the name assigned to the financially motivated threat group behind PhaaS toolkits. The PhaaS toolkit allows malicious attackers to conduct credential harvesting attacks by providing a phishing page that mimics the Microsoft 365 login page. Microsoft is tracking this attacker under the name Storm-2246.
Back in September 2025, the tech giant announced that it had worked with Cloudflare to seize 338 domains used by RaccoonO365. Phishing infrastructure attributed to this toolkit is estimated to have stolen at least 5,000 Microsoft credentials from 94 countries since July 2024.
NPF said RaccoonO365 was used to set up fraudulent Microsoft login portals to steal user credentials and gain unauthorized access to email platforms of businesses, financial institutions, and educational institutions. A joint investigation revealed multiple incidents of unauthorized access to Microsoft 365 accounts from January to September 2025 resulting from phishing messages crafted to mimic legitimate Microsoft authentication pages.
These activities resulted in business email compromises, data breaches, and financial losses across multiple jurisdictions, NPF added.
A civil lawsuit filed in September by Microsoft and Health-ISAC accuses defendant Joshua Ogundipe and four other John Does of hosting a cybercrime operation by “selling, distributing, purchasing, and implementing” phishing kits that facilitate sophisticated spear phishing and the exfiltration of sensitive information.
The stolen data is used to facilitate further cybercrime such as business email compromise, financial fraud, ransomware attacks, and even intellectual property infringement.
The development comes after Google filed a lawsuit against the operators of the Darcula PhaaS service and named Chinese national Yucheng Chang as the group’s leader, along with 24 other members. The company is seeking a court order to seize the group’s server infrastructure, which is behind a massive smishing wave masquerading as a U.S. government agency.
News of the lawsuit was first reported by NBC News on December 17, 2025. The development comes more than a month after Google sued China-based hackers associated with another PhaaS service known as Lighthouse, which allegedly affected more than 1 million users in 120 countries.
Source link
