Nigerian police and international investigators identified a lead suspect who allegedly managed a Telegram channel to sell phishing links in exchange for cryptocurrency. This individual is accused of hosting fraudulent login portals on Cloudflare to harvest credentials from various institutions. During the raids, authorities seized several digital devices and laptops used to facilitate these operations. While three people were taken into custody, officials clarified that only one was responsible for creating the infrastructure, while the others were linked to the broader criminal activities.

The toolkit, known as RaccoonO365 or Storm-2246, specialized in mimicking Microsoft 365 login pages to deceive users. Since its emergence in mid-2024, the platform has been used to steal at least 5,000 sets of credentials from victims globally. This data theft allowed attackers to bypass security measures and gain unauthorized access to the email systems of financial, educational, and corporate organizations. Earlier in 2025, Microsoft worked with service providers to take down over 300 domains associated with this specific threat group.

Law enforcement found that the stolen information was frequently used to launch business email compromise attacks and spread ransomware. By impersonating legitimate authentication pages, the suspects managed to infiltrate private networks and cause significant financial losses for their targets. A civil lawsuit filed by Microsoft in late 2025 also named specific individuals involved in the distribution and implementation of these malicious kits. These legal actions aim to stop the flow of sensitive data being siphoned from compromised corporate accounts.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

The Nigerian arrests coincide with a broader global crackdown on phishing-as-a-service providers. Recently, Google took legal action against a separate group called Darcula, which was linked to large-scale messaging scams targeting government entities. These groups operate by selling pre-packaged cybercrime tools to less-skilled hackers, effectively lowering the barrier for entry into the world of digital fraud. By targeting the developers of these platforms, authorities hope to disrupt the entire supply chain of the cybercrime economy.

This recent wave of litigation and law enforcement activity highlights the growing collaboration between tech giants and international police forces. From the seizure of server infrastructure to the identification of group leaders in various countries, the goal is to make the operation of these fraudulent services more difficult and legally risky. As phishing kits continue to impact millions of users worldwide, these coordinated efforts represent a strategic shift toward holding the architects of cybercrime infrastructure accountable.

Source: Nigeria Arrests RaccoonO365 Phishing Developer Linked To Microsoft 365 Attacks