Arrest of High-Profile Internet Fraud Suspects in Nigeria
Three individuals have been arrested in Nigeria for their involvement in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme.
The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) revealed that Okitipi Samuel, also known as Moses Felix, was identified as the principal suspect and developer of the phishing infrastructure. Investigations conducted in collaboration with Microsoft and the Federal Bureau of Investigation (FBI) led to this breakthrough.
According to the NPF, Samuel operated a Telegram channel where phishing links were sold in exchange for cryptocurrency. He also hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials.
Search operations conducted at the suspects’ residences resulted in the seizure of laptops, mobile devices, and other digital equipment linked to the operation. However, it was clarified that the two other arrested individuals had no connection to the creation or operation of the PhaaS service.
RaccoonO365 and Its Threat to Cybersecurity
RaccoonO365, a financially motivated threat group, is behind a PhaaS toolkit that enables bad actors to conduct credential harvesting attacks through phishing pages mimicking Microsoft 365 login pages. Microsoft is tracking this threat actor as Storm-2246.
In September 2025, Microsoft collaborated with Cloudflare to seize 338 domains used by RaccoonO365. The phishing infrastructure associated with the toolkit has resulted in the theft of at least 5,000 Microsoft credentials from 94 countries since July 2024.
RaccoonO365 was used to set up fraudulent Microsoft login portals aimed at stealing user credentials from corporate, financial, and educational institutions. Unauthorized access to Microsoft 365 accounts between January and September 2025 originated from phishing messages crafted to mimic legitimate Microsoft authentication pages, leading to business email compromise, data breaches, and financial losses across multiple jurisdictions.
Legal Actions Against Cybercriminal Operations
Microsoft and Health-ISAC filed a civil lawsuit in September against defendants accused of hosting a cybercriminal operation involving the phishing kit. The stolen data is allegedly used for various cybercrimes, including business email compromise, financial fraud, ransomware attacks, and intellectual property violations.
Additionally, Google filed a lawsuit against the operators of the Darcula PhaaS service, targeting Chinese national Yucheng Chang and 24 other members. The lawsuit aims to seize the group’s server infrastructure responsible for a smishing wave impersonating U.S. government entities.
Darcula and associates are believed to have stolen nearly 900,000 credit card numbers, including a significant number from Americans. The Chinese-language phishing kit emerged in July 2023 and has raised concerns about cybersecurity threats.
Recent Legal Actions in the Cybersecurity Landscape
Google’s lawsuit against the Darcula PhaaS service follows a similar legal action against China-based hackers associated with the Lighthouse PhaaS service. The impact of these services on users across multiple countries underscores the growing concern over cybercrime and the need for robust cybersecurity measures.
