Microsoft busts Telegram-based phishing hub RaccoonO365 and links it to Nigerian programmer

Microsoft’s Digital Crimes Unit (DCU) has uncovered the operator behind RaccoonO365, a subscription-based phishing service targeting Microsoft users. The leader of tge group, Joshua Ogundipe from Nigeria, allegedly ran the scheme with associates who sold access to criminals through Telegram.

According to Microsoft, the service had more than 850 members and generated at least $100,000 in cryptocurrency. Each subscription allowed customers to send thousands of phishing emails daily, adding up to hundreds of millions annually. Microsoft says this business-like structure highlights how accessible large-scale cybercrime has become.

Ogundipe and his team handled development, sales, and even customer support for fellow criminals. They registered domains under false names and addresses across multiple countries. An operational mistake, revealing a cryptocurrency wallet, enabled investigators to link transactions back to the group. Microsoft has referred Ogundipe’s case to international law enforcement.

To dismantle RaccoonO365, Microsoft worked with partners like Cloudflare and used blockchain analysis tools such as Chainalysis Reactor. The joint effort cut off revenue streams and took down malicious infrastructure. Still, Microsoft warned that international legal gaps allow actors to rebuild quickly, urging governments to align cybercrime laws and close loopholes.

Microsoft recommends that organizations and individuals enable multi-factor authentication, use updated anti-phishing tools, and remain vigilant against evolving scams. The company says collaboration across tech firms, governments, and civil society is critical to disrupting the global cybercrime ecosystem.