Nigerian Authorities Arrest Developer Linked to Microsoft 365 Phishing Tool

Three “high-profile internet fraud suspects” have been arrested by Nigerian authorities on suspicion of participating in phishing assaults against large organisations, including the primary creator of the RaccoonO365 phishing-as-a-service (PhaaS) scheme.

Investigations carried out in cooperation with Microsoft and the Federal Bureau of Investigation (FBI) identified Okitipi Samuel, also known as Moses Felix, as the main suspect and creator of the phishing infrastructure, according to the Nigeria Police Force National Cybercrime Centre (NPF–NCCC).

The NPF stated in an announcement posted on social media that the Investigations reveal that he operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials.

The Nigeria Police Force Authorities also confiscated laptops, mobile phones, and other digital devices tied to the operation during searches of their homes. According to the NPF, the two other suspects arrested are not linked to the development or running of the PhaaS service.

A financially motivated threat organisation known as RaccoonO365 is in charge of a PhaaS toolkit that allows malicious actors to carry out credential harvesting attacks by providing phishing sites that imitate Microsoft 365 login pages. The threat actor is being monitored by Microsoft under the name Storm-2246.

The tech giant said in September 2025 that it collaborated with Cloudflare to take control of 338 RaccoonO365-used domains. Since July 2024, at least 5,000 Microsoft login credentials from 94 countries have reportedly been stolen thanks to the phishing infrastructure linked to the toolkit.

The NPF stated that RaccoonO365 was deployed to create fake Microsoft login pages designed to harvest user credentials, which were then used to illegally access email systems belonging to corporate, financial, and educational organizations. The joint investigation identified numerous cases of unauthorized Microsoft 365 account access between January and September 2025, traced back to phishing emails that imitated genuine Microsoft authentication pages.

The NPF said that these actions resulted in financial losses in several jurisdictions, data breaches, and corporate email compromise.

Joshua Ogundipe and four other John Does are accused in a civil lawsuit filed by Microsoft and Health-ISAC in September of hosting a cybercrime operation by “selling, distributing, purchasing, and implementing” the phishing kit to enable sophisticated spear-phishing and steal confidential data.

The stolen information is subsequently utilised to perpetrate additional cybercrimes, such as financial theft, ransomware attacks, company email compromise, and intellectual property infringement.

This comes as Google launched a complaint against the Darcula PhaaS service’s owners, citing Yucheng Chang, a Chinese national, and 24 other individuals as the group’s leaders.

The business is requesting a court order to take control of the group’s server infrastructure, which has been responsible for a significant smishing wave that has impersonated US federal agencies.

According to an investigation by the Norwegian Broadcasting Corporation (NRK) and cybersecurity firm Mnemonic, Darcula and accomplices are thought to have stolen over 900,000 credit card numbers, including nearly 40,000 from Americans. July 2023 saw the initial appearance of the Chinese-language phishing kit.

On December 17, 2025, NBC News broke the story of the case. This comes just over a month after Google filed a lawsuit against Chinese hackers connected to Lighthouse, another PhaaS provider that is said to have affected more than a million users in 120 countries.

The FBI, Microsoft, the U.S. Secret Service, and the National Crime Agency of the United Kingdom collaborated on the investigation that led to the arrest.

Since July 2024, at least 5,000 credentials have been stolen from business, financial, and educational institutions in 94 countries using the RaccoonO365 infrastructure.

Samuel allegedly managed a Telegram group with more than 800 users where he sold bitcoin phishing kits for $355 to $999. Frequently hosted on Cloudflare, the toolkit automated the construction of phoney Microsoft login pages.

Microsoft and Cloudflare interfered with the operation in September 2025 by taking control of 338 domains linked to the phishing service.

Samuel is charged with identity theft, illegal access, and malicious software distribution under the Cybercrimes Act of 2024. Two other people who were detained during the raids were not part of the plot, according to police, but Samuel used their devices or credentials without their permission.