Microsoft’s Digital Crimes Unit (DCU), working with Cloudflare, has dismantled RaccoonO365 (also known as Storm-2246), a Nigerian-led phishing-as-a-service (PhaaS) operation that enabled cybercriminals globally to steal Microsoft 365 credentials. Beginning in July 2024, the service has stolen at least 5,000 credentials from users in 94 countries and collected over US$100,000 in cryptocurrency payments.
Through a court order from the Southern District of New York, Microsoft seized 338 websites and Cloudflare Worker accounts tied to RaccoonO365, effectively disabling its infrastructure. The takeover included placing warning pages in front of the seized domains, blocking Worker scripts, and suspending malicious accounts. The coordinated disruption was completed by September 8, 2025.
RaccoonO365 operated via a subscription model—advertised on Telegram—with over 840-850 subscribers, offering subscription tiers such as $355 for 30 days and $999 for 90 days. The service allowed users to target up to 9,000 email addresses daily with phishing emails disguised as official Microsoft branded communications. Among its campaigns was a tax-themed phishing attack targeting over 2,300 U.S. organizations and several campaigns against health care providers.
The investigation identified Joshua Ogundipe, a Nigerian programmer, as the alleged ring leader. Ogundipe and associates handled code development, customer support, and sales for the operation. An operational error that exposed a cryptocurrency wallet linked to Ogundipe helped Microsoft trace part of the operation. A criminal referral has been submitted to international law enforcement.
The takedown highlights growing concerns about phishing services becoming easier to access for less technical actors—turning cybercrime into a subscription-based business model. Microsoft and Cloudflare say while this disruption is significant, the threat is evolving. They urge organizations to strengthen defenses like multi-factor authentication, train staff about phishing risks, and support stronger international cooperation in cybercrime law enforcement.
0 Comments