Nigeria arrests suspected RaccoonO365 phishing kit developer on tip from Microsoft, FBI

One of the alleged developers behind the RaccoonO365 subscription phishing kit was arrested by Nigerian police this week. 

The Nigerian police’s National Cybercrime Centre said they conducted two raids in Lagos and Edo states, resulting in three arrests, after receiving tips from Microsoft, the FBI and the U.S. Secret Service.

While two of those arrested were not tied to the cybercriminal operation, police detained Okitipi Samuel, who is accused of being a key developer of the RaccoonO365 phishing infrastructure.

RaccoonO365 has been used to create fake Microsoft login portals aimed at harvesting user credentials and unlawfully accessing the email platforms of corporate, financial, and educational institutions.

“Investigations reveal that [Samuel] operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials,” a Nigerian police spokesperson said. 

The raids also resulted in the seizure of laptops, mobile devices and other digital equipment likely linked to the scheme, the spokesperson added.

In September, Microsoft obtained a court order to seize 338 websites associated with RaccoonO365.

RaccoonO365 operated as a subscription phishing kit that allowed cybercriminals to use Microsoft branding to create fake emails, attachments and websites that could lead victims into opening, clicking and downloading malicious links or documents.

The service was used by cybercriminals — who paid about $365 per month for a subscription — to target 9,000 email addresses each day and offered techniques to circumvent multifactor authentication protections to steal user credentials and gain persistent access to victims’ systems.

In most cases the emails had attachments with links or a QR code that led to a page with a CAPTCHA. Once the CAPTCHA was entered, victims were taken to fake Microsoft O365 login pages that stole credentials. 

Nigerian police said the phishing emails allowed cybercriminals to conduct business email compromises, data breaches and cause financial losses.

Cloudflare also took down hundreds of domains and accounts associated with the group in September. Multiple phishing campaigns seen by Cloudflare officials spoofed brands like Adobe, Maersk, DocuSign and others.

Steven Masada, assistant general counsel with Microsoft’s Digital Crimes Unit (DCU), said at the time that RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials in 94 countries.

For nearly a year, researchers at several companies have warned about the prevalence of RaccoonO365 and its increasing usage by cybercriminals to launch business email compromise attacks and other scams. 

Microsoft has said Nigerian national Joshua Ogundipe was the leading force behind RaccoonO365. Microsoft sent a criminal referral to international law enforcement for Ogundipe but his whereabouts are unclear.

He allegedly worked with others to market and sell the tool on Telegram. There were about 850 members of the groups Telegram channel. 

Ogundipe wrote most of the RaccoonO365 code but delegated other roles to associates for developing and selling the service as well as providing customer support to other cybercriminals, Microsoft said. Their efforts earned them at least $100,000, according to Microsoft.  

The Nigerian Police Force and Microsoft did not respond to requests for comment about what specific role Samuel played in the operation. 

Nigeria has taken a tougher stance on cybercrime in 2025, sentencing nine Chinese nationals to one year in prison for their roles in a cybercrime syndicate that allegedly involved training and recruiting young Nigerians to commit online fraud.