Microsoft has seized 338 websites tied to a Nigerian-based phishing service, Raccoon0365, which stole more than 5,000 user credentials.
Microsoft announced on Tuesday that it has seized 338 websites linked to a Nigerian-based phishing service called “Raccoon0365,” which enabled large-scale cyberattacks and resulted in the theft of more than 5,000 Microsoft user credentials.
According to Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, the service operated through a private Telegram channel with over 850 subscribers. It allowed users to impersonate trusted brands and lure victims into entering login details on fake Microsoft platforms. Since its launch in July 2024, Raccoon0365 generated at least $100,000 (€84,425) in cryptocurrency payments for its operators.
Microsoft said the phishing scheme targeted a wide range of industries, with many organizations based in New York City. Earlier this year, the company identified a Raccoon0365 campaign using tax-themed phishing emails to attack more than 2,300 organizations. A US District Court in Manhattan granted Microsoft an order earlier this month to seize the domains.
“Cybercriminals don’t need to be sophisticated to cause widespread harm,” Masada said. “Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk,” he added.
The service also used Cloudflare to mask its backend infrastructure. Cloudflare worked with Microsoft and the US Secret Service to dismantle operations and prevent new accounts from being created.
Blake Darche, Cloudflare’s head of threat intelligence, noted that despite operational mistakes, the attackers were highly effective. “They’re in people’s accounts, they compromise lots of people, and it needs to obviously be stopped,” he said.