Nigeria Police Crack Down on High-Profile Internet Fraud Syndicate
Authorities in Nigeria have apprehended three individuals connected to a sophisticated internet fraud operation, potentially linked to phishing attacks targeting major corporations, including the prominent RaccoonO365 phishing-as-a-service (PhaaS) scheme. The arrests were made by the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) after a collaborative investigation with tech giant Microsoft and the Federal Bureau of Investigation (FBI). The main suspect, Okitipi Samuel, also known as Moses Felix, is alleged to be the primary architect behind the phishing infrastructure utilized in these operations.
The investigation unveiled that Felix operated a Telegram channel for selling phishing links in exchange for cryptocurrency. His scheme involved hosting fraudulent login portals on Cloudflare, using stolen or fraudulently obtained email credentials. Authorities have seized various digital devices, including laptops and smartphones, during searches of the suspects’ residences. The other two arrested individuals reportedly have no direct role in the operation of the PhaaS service.
RaccoonO365 is identified as a financially motivated threat group specializing in credential harvesting through counterfeit Microsoft 365 login pages. Microsoft refers to this group as Storm-2246. In September 2025, Microsoft had previously collaborated with Cloudflare to dismantle 338 domains linked to RaccoonO365, which contributed to the theft of over 5,000 Microsoft credentials from 94 countries since July 2024.
The NPF reported that RaccoonO365 was instrumental in creating fraudulent Microsoft login portals aimed at exfiltrating user credentials, thereby allowing for unauthorized access to the email systems of various corporate, financial, and educational institutions. The ongoing investigation has revealed multiple incidents of unauthorized access to Microsoft 365 accounts, originating from phishing messages designed to imitate legitimate Microsoft authentication pages. These attacks have resulted in significant business email compromise, data breaches, and consequent financial losses across numerous jurisdictions.
In a related legal development, a civil lawsuit was filed in September by Microsoft and Health-ISAC against Joshua Ogundipe and several other unidentified defendants, accusing them of facilitating the phishing operation through the distribution and implementation of the PhaaS toolkit. The stolen data has allegedly fueled a range of cybercrimes, including financial fraud, business email compromises, and ransomware attacks.
Ogundipe has been identified as a key figure in this criminal operation, though his current whereabouts remain unknown. Microsoft has indicated that ongoing investigations continue regarding these matters. Meanwhile, a separate lawsuit has been initiated by Google against the operators of the Darcula PhaaS service, implicating Chinese national Yucheng Chang as the group’s leader. This service has reportedly orchestrated a large-scale smishing campaign masquerading as U.S. government communications.
As the cybersecurity landscape evolves, businesses must remain vigilant against such sophisticated schemes that utilize advanced technical tactics, indicative of MITRE ATT&CK’s adversary tactics. Techniques such as initial access through phishing, persistence via compromised accounts, and privilege escalation by leveraging stolen credentials are all potential methods employed in these types of attacks. By understanding these tactics, organizations can better prepare and defend against emerging threats in a rapidly changing digital environment.