Overview
- Police say three suspects were detained in Lagos and Edo States, with laptops and mobile devices seized and forensically linked to the scheme.
- Investigators identified Okitipi Samuel, known as RaccoonO365 and Moses Felix, as the developer who sold phishing links via a Telegram channel for cryptocurrency and hosted fake login portals on Cloudflare using compromised accounts.
- Authorities reported no evidence connecting the two other arrestees to the development or management of the phishing infrastructure at this stage.
- RaccoonO365 is tied to at least 5,000 stolen Microsoft credentials across 94 countries since mid‑2024 and to unauthorized Microsoft 365 access between January and September 2025 that drove business email compromise, data breaches, and financial losses.
- Prior disruption included Microsoft and Cloudflare seizing 338 domains in September 2025, with a related civil suit by Microsoft and Health‑ISAC naming Joshua Ogundipe and other defendants over hosting and selling the phishing kit.