Authorities in Nigeria have confirmed the arrest of three high profile internet fraud suspects connected to large scale phishing operations, including the primary developer behind the RaccoonO365 phishing as a service platform. The arrests were announced by the Nigeria Police Force National Cybercrime Centre following a joint investigation with Microsoft and the Federal Bureau of Investigation.
According to Nigerian authorities, the main suspect, identified as Okitipi Samuel, also known as Moses Felix, is believed to be the architect and operator of the RaccoonO365 phishing infrastructure. Investigators stated that he managed a Telegram based operation where phishing links were sold in exchange for cryptocurrency payments. The phishing portals were hosted using Cloudflare services and relied on stolen or fraudulently obtained email credentials to bypass security controls.
Law enforcement officials confirmed that multiple laptops, mobile phones, and digital storage devices linked to the operation were seized during coordinated searches at the suspects’ residences. The Nigeria Police Force clarified that the two other individuals arrested were not involved in developing or running the phishing as a service platform itself.
RaccoonO365 is a financially motivated phishing toolkit designed to harvest credentials by impersonating Microsoft 365 login pages. Microsoft tracks the threat actor operating this service under the name Storm 2246. The platform allowed cybercriminals with minimal technical expertise to launch sophisticated credential harvesting campaigns at scale.
In September 2025, Microsoft disclosed that it had worked alongside Cloudflare to seize 338 malicious domains associated with RaccoonO365. Security assessments indicate that the phishing operation resulted in the theft of more than 5,000 Microsoft account credentials across 94 countries since July 2024.
The Nigerian police stated that the stolen credentials were used to gain unauthorized access to Microsoft 365 accounts belonging to corporate, financial, and educational institutions. Between January and September 2025, multiple confirmed incidents of account compromise were traced back to phishing emails crafted to closely resemble legitimate Microsoft authentication pages. These intrusions led to business email compromise, data breaches, and direct financial losses across several regions.
The arrests come amid broader legal action against phishing as a service ecosystems. In September 2025, Microsoft and Health-ISAC filed a civil lawsuit accusing multiple defendants, including Joshua Ogundipe, of selling and distributing phishing kits used for targeted spear phishing and data theft.
Separately, Google has launched legal proceedings against operators of the Darcula phishing as a service platform. The lawsuit names Chinese national Yucheng Chang as the alleged leader of the operation and seeks to dismantle infrastructure tied to a large scale smishing campaign impersonating United States government entities.
Investigations by the Norwegian Broadcasting Corporation and cybersecurity firm Mnemonic estimate that Darcula affiliates stole nearly 900,000 credit card numbers worldwide. The case was first reported by NBC News on December 17, 2025, highlighting an expanding global crackdown on phishing as a service operations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
