bleepingcomputer.com
By Bill Toulas
December 19, 2025
The Nigerian police have arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing-as-a-service.
The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide.
The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI.
The authorities identified individuals who administered the phishing toolkit ‘Raccoon0365,’ which automated the creation of fake Microsoft login pages for credential theft.
The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September.
It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria.
BleepingComputer contacted Microsoft for clarifications but a comment wasn't immediately available.
“Acting on precise and actionable intelligence, NPF–NCCC operatives were deployed to Lagos and Edo States, leading to the arrest of three suspects,” reads the police’s announcement.
“Search operations conducted at their residences resulted in the recovery of laptops, mobile devices, and other digital equipment, which have been linked to the fraudulent scheme after forensic analysis.”
One of the arrested suspects is an individual named Okitipi Samuel, also known online as “RaccoonO365” and “Moses Felix,” whom the police believe is the developer of the phishing platform.
Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials.
The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months.
Cloudflare estimates that the service is used primarily by Russia-based cybercriminals.
Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation.
The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.
The AFP has played a key role in a landmark international operation targeting perpetrators of online sextortion, which resulted in the arrest of 22 suspects in Nigeria.
CORRECTION: The arrest of two Nigerian-based offenders linked to the suicide of a 16-year-old child in New South Wales in 2023 was NOT part of Operation Artemis. Those arrests occurred after Operation Artemis, when they were conducted by Nigeria’s Economic and Financial Crimes Commission to assist a NSW Police Force investigation.
The AFP has played a key role in a landmark international operation targeting perpetrators of online sextortion, which resulted in the arrest of 22 suspects in Nigeria.
Operation Artemis was a joint operation led by the US Federal Bureau of Investigation in partnership with the AFP, Royal Canadian Mounted Police, and Nigeria’s Economic and Financial Crimes Commission (EFCC). It focused on dismantling an organised criminal network allegedly responsible for a wave of online sextortion crimes which targeted thousands of teenagers globally.
The network’s scheme, which coerced victims into sharing sexually explicit images before threatening to distribute those images unless payment was made, had devastating consequences.
In the United States alone, more than 20 teenage suicides have been linked to sextortion-related cases since 2021. While many victims were based in North America, the ripple effects of the offending extended to Australia and other nations.
“Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more.
