Microsoft Identifies Nigerian Developer Behind RaccoonO365, a Global Phishing-as-a-Service Network

Microsoft has unmasked Joshua Ogundipe, a Nigerian software developer, as the suspected mastermind behind RaccoonO365, described as the world’s fastest-growing phishing operation targeting Microsoft 365 users.

The company’s Digital Crimes Unit (DCU) announced it had dismantled 338 websites linked to the network, cutting off the infrastructure criminals used to steal thousands of login credentials across 94 countries.

A Subscription-Based Cybercrime Model

Known to Microsoft as Storm-2246, RaccoonO365 operated as a phishing-as-a-service (PhaaS) platform. Subscribers—many with little technical skill—could easily deploy fake Microsoft login pages to harvest usernames and passwords.

Since its emergence in July 2024, RaccoonO365 has been implicated in the theft of at least 5,000 Microsoft credentials. Targets included sensitive industries such as healthcare, where phishing campaigns struck over 20 hospitals and providers, disrupting patient care and exposing organizations to ransomware threats.

“This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm,” Microsoft’s DCU said. “Simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”

Tracing the Mastermind

Investigators linked the operation to Joshua Ogundipe, who allegedly developed much of the RaccoonO365 code. His team marketed subscriptions on Telegram to an audience of more than 850 members, accepting at least $100,000 in cryptocurrency.

Each subscription allowed attackers to send thousands of phishing messages daily, amounting to hundreds of millions annually. The service also featured AI tools such as RaccoonO365 AI-MailCheck, designed to bypass email filters and increase attack success rates.

Microsoft noted the group ran like a tech startup—complete with marketing, customer support, and fake domain registrations. A key breakthrough came when investigators traced activity from a compromised cryptocurrency wallet back to Ogundipe’s real identity.

An international criminal referral has been filed, opening the door for law enforcement prosecution.

Microsoft’s Coordinated Response

The takedown, executed in partnership with Cloudflare and aided by blockchain forensics firm Chainalysis, represents one of Microsoft’s most aggressive anti-phishing operations to date.

Still, the company warned that cybercriminals often rebuild their networks after shutdowns:

“This operation shows what’s possible when tech companies, security firms, and governments work together,” Microsoft said. “By disrupting criminal infrastructure, we cut off revenue streams and protect millions of users.”

Cybercrime Made Easy

The rise of PhaaS platforms like RaccoonO365 highlights how cybercrime has evolved into a global, scalable business model. Rather than developing sophisticated malware, attackers can now purchase turnkey phishing kits and launch mass attacks at the click of a button.

What’s Next

For Nigeria, the exposure of Ogundipe underscores the growing role of local actors in international cybercrime networks. For global users, Microsoft urged companies and individuals to adopt stronger defenses—multi-factor authentication (MFA), regular software updates, and staff training—to reduce the risk of credential theft.

With Ogundipe named and hundreds of malicious domains dismantled, the future of RaccoonO365—and the vast phishing ecosystem it supported—now hangs in the balance.