Nigerian authorities have arrested an individual believed to be one of the developers behind RaccoonO365, a phishing-as-a-service platform that enabled criminals to mass-produce fake Microsoft login pages and harvest victims’ usernames and passwords. Acting on intelligence provided by Microsoft, the FBI, and the U.S. Secret Service, police ultimately detained three suspects.
According to law enforcement, only one of those arrested—Okitipe Samuel—is directly tied to the RaccoonO365 operation. He is described as a key architect of the platform’s phishing infrastructure. Police allege that Samuel ran a Telegram channel through which phishing links were sold for cryptocurrency and hosted counterfeit login portals on Cloudflare, using email credentials obtained through theft or fraud. Searches conducted during the operation led to the seizure of laptops, mobile phones, and other digital devices believed to be connected to the scheme.
RaccoonO365 was marketed as a “phishing subscription” service. For roughly $365 per month, cybercriminals gained access to tools that allowed them to create branded Microsoft campaigns—complete with fake emails, attachments, and websites—designed to lure victims to fraudulent Microsoft Office 365 login pages. The service was used to target corporate, financial, and educational organizations, and its creators even promised methods for bypassing multi-factor authentication, enabling attackers not merely to steal passwords but to maintain long-term access to compromised systems.
A typical attack chain unfolded as follows: victims received an email containing an attachment with a link or QR code. Clicking it led to a page featuring a CAPTCHA, after which the victim was redirected to a counterfeit Microsoft O365 login page where credentials were captured. Nigerian police say such campaigns paved the way for business email compromise, data breaches, and significant financial losses.
As early as September, Microsoft secured a court order authorizing the seizure of 338 websites linked to RaccoonO365. Around the same time, Cloudflare announced that it had disabled hundreds of domains and accounts used by the group. In campaigns observed by Cloudflare, the attackers impersonated not only Microsoft but also brands such as Adobe, Maersk, and DocuSign. According to Microsoft’s Digital Crimes Unit, RaccoonO365 kits were used to steal at least 5,000 Microsoft account credentials across 94 countries.
Microsoft has previously identified another Nigerian national, Joshua Ogundepe, as the principal driving force behind RaccoonO365, alleging that he wrote much of the code and delegated various functions to accomplices—from development and sales to customer support for fellow cybercriminals.
The company has submitted evidence to international law enforcement seeking Ogundepe’s prosecution, though his current whereabouts remain unknown. Microsoft has also claimed that participants in the scheme earned at least $100,000, and that the Telegram channel used to promote the service attracted roughly 850 members.