Microsoft has taken down nearly 340 websites tied to Raccoon0365, a fast-expanding Nigerian-based phishing service accused of stealing at least 5,000 Microsoft user credentials. Acting under an order from the U.S. District Court in Manhattan, the company seized domains connected to the operation earlier this month, marking a significant strike against cybercrime networks.
According to Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, Raccoon0365 functioned as a subscription-based service, enabling users to launch large-scale phishing campaigns. Some campaigns involved thousands of emails at once. “Cybercriminals don’t need to be sophisticated to cause widespread harm,” Masada said. “Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”
The service operated primarily through a private Telegram channel with more than 850 subscribers, where customers could pay to impersonate well-known brands and trick victims into entering credentials on fake Microsoft login pages. Since its launch in July 2024, the scheme reportedly generated at least $100,000 in cryptocurrency payments for its operators.
Microsoft identified Nigeria-based Joshua Ogundipe as the leader of Raccoon0365. He did not respond to an email request for comment sent to the address listed in Microsoft’s court filings.
Court documents indicate that Raccoon0365 subscribers have targeted multiple industries, with “a significant portion” of attacks aimed at organizations in New York City. Earlier this year, Microsoft disclosed that the group used tax-themed phishing emails to target over 2,300 organizations in the U.S. between February 12 and February 28.
Healthcare has also been a prime target. Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center (Health-ISAC), a co-plaintiff in the case, confirmed that Raccoon0365 was linked to credential theft at five healthcare organizations and attempted attacks on 25 more. “So many of the attacks start because somebody gave up their user name and password to a bad guy,” Weiss explained. “Once that cybercriminal has access to the network, then it’s just up to the imagination in terms of what comes next and how they monetize it.”
Cloudflare, whose services were used to conceal Raccoon0365’s backend infrastructure, partnered with Microsoft and the U.S. Secret Service to shut down its operations. Blake Darché, head of threat intelligence at Cloudflare, noted that while the operators made “key operational security mistakes,” they remained highly effective. “They’re in people’s accounts, they compromise lots of people, and it needs to obviously be stopped,” he said.
