Microsoft outs Nigerian as RaccoonO365 PhaaS boss

The Digital Crimes Unit (DCU) at Microsoft said it has disrupted a global phishing operation called RaccoonO365, uncloaking the leader of the criminal gang behind it in the process.

Login page for RaccoonO365

Steven Masada, a legal officer with the DCU, named the person as Joshua Ogundipe, a Nigerian computer programmer, as the mastermind behind RaccoonO365 which the company said is one of the world's fastest-growing phishing services.

Ogundipe is believed to have written the majority of code for RaccoonO365.

He and his associates have marketed and sold their services on the Telegram social network to over 850 members.

Masada said at least US$100,000 ($150,000) has been received by Ogundipe and associates, which DCU estimates amounts to 100 to 200 subscriptions but that could be an underestimate, he said.

Ogundipe's identity became known through an operational security lapse where his team inadvertently revealed a secret cryptocurrency wallet.

Microsoft's blockchain analysis tools, including Chainalysis Reactor, helped trace the cryptocurrency transactions back to real identities.

RaccoonO365 subscriptions are not single use and Masada said each one could be used to send 9000 phishing emails a day, adding up to potentially hundreds of millions of malicious messages sent through the platform.

DCU succeeded in applying for a court order in the Southern District of New York, resulting in 338 websites associated with RaccoonO365, which Microsoft tracks as Storm-2246, being seized.

Masada said the RaccoonO365 phishers launched an extensive campaign across multiple industries, with over 2300 organisations being targeted in the United States in a tax-themed operation.

Some 20 healthcare organisations were also attacked with RaccoonO365 phishing kits, also in the US.

DCU partnered with the not-for-profit Health-ISAC cybersecurity threat intelligence organisation for the court case.

RaccoonO365's phishing emails targeting healthcare organisations often precede ransomware deployments that can delay patient services, compromise lab results, and cancel critical procedures.

The phishing-as-a-service (PhaaS) operators recently began advertising an artificial intelligence-powered service called "AI-MailCheck" which is designed to scale operations and increase attack sophistication.

It circumvents multi-factor authentication (MFA) protections and maintains persistent access to compromised systems.

Microsoft has referred Ogundipe to international law enforcement agencies.

Masada said that legal challenges to prosecuting cybercriminals persist.

Today’s patchwork of international laws remains a major obstacle and cybercriminals exploit these gaps," Masada wrote.

"Governments must work together to align their cybercrime laws, speed up cross-border prosecutions, and close the loopholes that let criminals operate with impunity.

"The international community should also support nations that are working to strengthen their defenses, while holding accountable those that turn a blind eye to cybercrime." 

Despite the disruption and naming of the RaccoonO365 leader, Microsoft expects the criminals to attempt rebuilding their infrastructure, requiring ongoing legal action to prevent re-emergence.

Microsoft's DCU has actively pursued cybercrime operations over several years. 

In May 2025, it took legal action against Lumma Stealer, which it said had infected over 400,000 Windows computers with infostealing malware.