Microsoft has seized 340 websites tied to Nigerian-run phishing service Raccoon0365, which stole thousands of user credentials.
Microsoft Inc. announced on Tuesday that it had seized nearly 340 websites tied to Raccoon0365, a fast-growing Nigerian-based phishing service accused of stealing at least 5,000 Microsoft user credentials.
The tech giant obtained an order earlier this month from the US District Court in Manhattan to take down domains linked to the subscription-based service, according to Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit. The takedown occurred over several days and targeted Raccoon0365’s operations, which were conducted primarily through a private Telegram channel with more than 850 subscribers.
Launched in July 2024, the service enabled subscribers to impersonate trusted brands and trick victims into entering their Microsoft login details on fraudulent webpages. Microsoft identified Nigeria-based Joshua Ogundipe as the ringleader of the operation, which has generated at least $100,000 in cryptocurrency payments. Ogundipe did not respond to a request for comment.
“Cybercriminals don’t need to be sophisticated to cause widespread harm,” Masada said in a blog post. “Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”
Court filings reveal that Raccoon0365 targeted a broad range of industries, with a significant portion of activity aimed at organisations in New York City. Earlier this year, Microsoft linked the service to tax-themed phishing campaigns that attempted to breach over 2,300 US organifzations in just two weeks.
The healthcare sector has been a notable victim. Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center (Health-ISAC), a co-plaintiff with Microsoft, said the service was connected to successful credential thefts at five healthcare organisations and attempted attacks on at least 25 others. “So many of the attacks start because somebody gave up their username and password,” Weiss explained. “Once that access is gained, it’s only a matter of how criminals choose to exploit it.”
The operators used Cloudflare services to obscure their infrastructure, but the company collaborated with Microsoft and the U.S. Secret Service to help disrupt the network. “They’re in people’s accounts, they compromise lots of people, and it needs to obviously be stopped,” said Blake Darché, head of threat intelligence at Cloudflare.
With the seizure of Raccoon0365’s domains, Microsoft and its partners say they have dealt a significant blow to one of the most accessible phishing services on the market—though the company warned that similar low-cost cybercrime tools continue to proliferate.
