Authorities in Nigeria have announced the arrest of three “high-profile internet fraud suspects” who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme.
The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with Microsoft and the Federal Bureau of Investigation (FBI) led to the identification of Okitipi Samuel, also known as Moses Felix, as the principal suspect and developer of the phishing infrastructure.
“Investigations reveal that he operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials,” the NPF said in a post shared on social media.
In addition, laptops, mobile devices, and other digital equipment linked to the operation have been seized following search operations conducted at their residences. The two other arrested individuals have no connection to the creation or operation of the PhaaS service, per the NPF. The arrests were carried out following raids in Lagos and Edo states.
RaccoonO365 is the name assigned to a financially motivated threat group behind a PhaaS toolkit that enables bad actors to conduct credential harvesting attacks by serving phishing pages mimicking Microsoft 365 login pages. Microsoft is tracking the threat actor under the moniker Storm-2246.
Back in September 2025, the tech giant said it worked with Cloudflare to seize 338 domains used by RaccoonO365. The phishing infrastructure attributed to the toolkit is estimated to have led to the theft of at least 5,000 Microsoft credentials from 94 countries since July 2024.
The NPF said RaccoonO365 was used to set up fraudulent Microsoft login portals aimed at stealing user credentials and using them to gain unlawful access to the email platforms of corporate, financial, and educational institutions. The joint probe has uncovered multiple incidents of unauthorized Microsoft 365 account access between January and September 2025 that originated from phishing messages crafted to mimic legitimate Microsoft authentication pages.
These activities led to business email compromise, data breaches, and financial losses across multiple jurisdictions, the NPF added.
A civil lawsuit filed by Microsoft and Health-ISAC in September has accused defendants Joshua Ogundipe and four other John Does of hosting a cybercriminal operation by “selling, distributing, purchasing, and implementing” the phishing kit to facilitate sophisticated spear-phishing and siphon sensitive information.
The stolen data is then used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks, as well as commit intellectual property violations, the lawsuit alleged.
The lawsuit also identified Ogundipe as the mastermind behind the operation. His present whereabouts are unclear. When reached for comment, a Microsoft spokesperson told The Hacker News that investigations are ongoing.
The development comes as Google filed a lawsuit against the operators of the Darcula PhaaS service, naming Chinese national Yucheng Chang as the group’s leader along with 24 other members. The company is seeking a court order to seize the group’s server infrastructure that has been behind a massive smishing wave impersonating U.S. government entities.
Darcula and associates are estimated to have stolen nearly 900,000 credit card numbers, including nearly 40,000 from Americans, according to an investigation from the Norwegian Broadcasting Corporation (NRK) and cybersecurity company Mnemonic. The Chinese-language phishing kit first emerged in July 2023.
News of the lawsuit was first reported by NBC News on December 17, 2025. The development comes a little over a month after Google also sued China-based hackers associated with another PhaaS service known as Lighthouse that’s believed to have impacted over 1 million users across 120 countries.
