The Kaipher Editorial Team 
Microsoft’s Digital Crimes Unit announced Tuesday that it obtained a U.S. court order to seize control of 338 websites operated by RaccoonO365, a Nigerian–based “phishing-as-a-service” platform responsible for compromising at least 5,000 Microsoft credentials since July 2024 (Microsoft Security Blog). Tracked internally as Storm-2246, the operation generated over $100,000 in cryptocurrency revenue by selling subscription-based phishing kits via a private Telegram channel with more than 850 members.
Collaborative Takedown via Court Order
The seizure was executed under a court order from the U.S. District Court for the Southern District of New York, reflecting a coordinated effort among Microsoft, Health Information Sharing and Analysis Center (Health-ISAC), Cloudflare, and the U.S. Secret Service. Microsoft identified Joshua Ogundipe, operating from Nigeria, as the ring leader behind the service. The court granted Microsoft control of the domains, preventing further creation of fraudulent login pages and blocking access to the backend infrastructure.
Sophisticated Yet Accessible Phishing Tool
RaccoonO365 offered turnkey phishing kits that required minimal technical skill. Subscribers could deploy campaigns targeting thousands of victims simultaneously, with prebuilt templates for mimicking legitimate Microsoft 365 login portals. Health-ISAC’s chief security officer, Errol Weiss, revealed that at least five healthcare organizations were compromised and 25 healthcare entities were targeted, underscoring the threat to patient data and care continuity. One attack displaced staff from electronic health records systems, triggering emergency manual workflows.
Beyond healthcare, RaccoonO365 powered a tax-themed campaign in February that lured employees at more than 2,300 organizations. The kits embedded QR codes in PDF attachments, redirecting victims to counterfeit login pages. Once credentials were harvested, operators could escalate to ransomware or identity theft.
First Civil Crypto Takedown via Blockchain Analysis
In a first-of-its-kind move for a civil enforcement action, Microsoft leveraged cryptocurrency tracing to attribute funds. Using Chainalysis Reactor, investigators followed transactions from subscription payments through multiple mixers to an operational security slip by Ogundipe—he shared an incorrect wallet address—revealing the final destination at a Nigerian cryptocurrency exchange.
“Simple phishing tools can inflict vast harm,” said Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit. “By combining legal remedies with blockchain analysis, we’ve set a new precedent for disrupting cybercrime revenue streams.”
Cloudflare’s Role and Ongoing Defense
RaccoonO365 operators used Cloudflare to mask their servers behind proxy services. Cloudflare collaborated by disabling the phishing domains and preventing new account setups. Blake Darché, head of threat intelligence at Cloudflare, noted that while the criminals made key mistakes in wallet management, their operational security remained robust enough to evade detection until proactive domain seizure.
Preventing a Resurgence
Microsoft warns that the RaccoonO365 operators may attempt to rebuild their infrastructure under new domain names. The Digital Crimes Unit plans continuous legal actions and technical interventions to thwart any resurgence. Microsoft urges organizations to enable multi-factor authentication, deploy email filtering, and educate users on identifying phishing indicators to mitigate the risk posed by subscription-based phishing services.
This takedown illustrates the evolving nexus between cryptocurrency and cybercrime, demonstrating how coordinated legal, technical, and investigative measures can disrupt criminal ecosystems and protect millions of users worldwide.
