The Nigeria Police Force National Cybercrime Centre (NPF-NCCC) has launched a major investigation into an international cybercrime network accused of targeting Microsoft 365 users across several countries through phishing and related digital fraud.
The probe began after Microsoft Office in the United States, working with the Federal Bureau of Investigation (FBI), shared intelligence indicating that a sophisticated phishing toolkit known as Raccoon365 was being used to create fake Microsoft login pages. These fake portals were designed to steal user credentials and gain unauthorised access to email accounts belonging to corporate organisations, financial institutions and educational bodies worldwide.
According to the Police, the NPF-NCCC immediately partnered with Microsoft, the FBI and the United States Secret Service to track the perpetrators and dismantle the operation.
Force Public Relations Officer, CSP Benjamin Hundeyin, said that between January and September 2025, numerous cases of compromised Microsoft 365 accounts were traced to phishing emails disguised as legitimate Microsoft login requests. These attacks reportedly led to business email compromise, internal phishing campaigns, data breaches and other forms of cyber-enabled fraud.
He explained that advanced digital forensics and cryptocurrency tracking helped investigators identify suspicious digital wallets linked to the illegal operation. Based on this intelligence, police teams were deployed to Lagos and Edo States, leading to the arrest of Joshua James on September 20 and Okitipi Samuel on October 4, 2025.
Searches conducted at their residences uncovered mobile phones, laptops and other digital devices connected to the scheme. Investigators identified Okitipi Samuel also known as “Raccoon0365” and Moses Felix as the main suspect behind the operation. He is alleged to be the developer and operator of the Raccoon365 phishing infrastructure.
Police said Samuel allegedly ran a Telegram channel where phishing links were sold in exchange for cryptocurrency and hosted fake Microsoft login pages using Cloudflare, often relying on stolen or fraudulently obtained email addresses. Further findings revealed that he unlawfully used the personal email details of one of the arrested individuals to register some of the phishing accounts.
Blockchain analysis traced the cryptocurrency proceeds to Bitnob and Exodus wallets, with Know-Your-Customer (KYC) data reportedly linking Samuel as the sole beneficiary. The phishing links he generated were said to have enabled multiple unauthorised intrusions into Microsoft 365 accounts across different countries, resulting in financial losses and exposure of sensitive information.
The police clarified that investigations found no evidence that Joshua James was involved in creating or running the Raccoon365 scheme. Instead, his personal information and devices were allegedly exploited without his consent by the principal suspect.
According to the NPF-NCCC, a prima facie case has been established against Okitipi Samuel on charges including identity theft, unlawful access to computer systems, creation and distribution of malicious software, aiding and abetting fraud, and unauthorised interference with network data. He is expected to be charged under relevant sections of the Cybercrimes (Prohibition, Prevention, etc.) Act, 2024.
