Microsoft Takes Down 340 Phishing Website Run by Nigerian Group

Microsoft has dismantled nearly 340 websites linked to Raccoon0365, a Nigerian operated phishing service accused of stealing thousands of user credentials.

The takedown followed an order from the U.S. District Court in Manhattan earlier this month, according to Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit. The seizures, carried out over several days, disrupted Raccoon0365’s operations, which were coordinated primarily through a private Telegram channel with more than 850 subscribers.

Launched in July 2024, Raccoon0365 offered a subscription-based toolkit that allowed users to impersonate trusted brands and trick victims into entering their Microsoft login details on fake websites. Microsoft identified Nigeria-based Joshua Ogundipe as the ringleader of the scheme, which generated at least $100,000 in cryptocurrency payments. Ogundipe did not respond to requests for comment.

“Cybercriminals don’t need to be sophisticated to cause widespread harm,” Masada said in a blog post. “Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”

Court filings show the phishing service targeted multiple industries, with significant activity directed at organizations in New York City. Earlier this year, Microsoft tied Raccoon0365 to tax-related phishing campaigns that attempted to breach more than 2,300 U.S. organizations in just two weeks.

The healthcare sector was among the hardest hit. Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center (Health-ISAC), which joined Microsoft in the lawsuit, said the phishing service had compromised credentials at five healthcare organizations and attempted to breach at least 25 more.

“So many of the attacks start because somebody gave up their username and password,” Weiss said. “Once that access is gained, it’s only a matter of how criminals choose to exploit it.”

Raccoon0365 operators used Cloudflare services to mask their infrastructure, but the company worked with Microsoft and the U.S. Secret Service to help dismantle the network.

“They’re in people’s accounts, they compromise lots of people, and it needs to obviously be stopped,” said Blake Darché, head of threat intelligence at Cloudflare.

Microsoft said the action delivers a major blow to one of the most accessible phishing services available. However, the company cautioned that similar low-cost cybercrime tools continue to spread online.