Microsoft has shut down nearly 340 websites linked to Raccoon0365, a fast-growing phishing service run from Nigeria that enabled even low-skilled actors to launch large-scale cyberattacks, the company revealed Tuesday, Reuters reported.
The takedown, carried out with the backing of a U.S. District Court order in Manhattan, underscores the industrialization of phishing, where turnkey subscription services lower the barrier for cybercrime.
Raccoon0365, operating via a private Telegram group with over 850 paying subscribers, allowed users to mimic trusted brands and trick victims into handing over Microsoft login credentials. According to Microsoft’s Digital Crimes Unit, the service harvested at least 5,000 user credentials and generated more than $100,000 in cryptocurrency payments since its launch in July 2024.
“Cybercriminals don’t need to be sophisticated to cause widespread harm,” said Steven Masada, assistant general counsel for Microsoft. “Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”
Microsoft identified Joshua Ogundipe of Nigeria as the ringleader. Court filings detail how the service targeted industries ranging from finance to healthcare, with a concentrated wave of tax-themed phishing attacks hitting 2,300 U.S. organizations in February 2025 alone.
The healthcare sector has been a particular victim. Errol Weiss, chief security officer of Health-ISAC, Microsoft’s co-plaintiff, confirmed that at least five healthcare organizations suffered successful credential breaches via Raccoon0365 campaigns. “Once a cybercriminal has access to a network, it’s only up to their imagination how they monetize it,” Weiss warned.
Cloudflare, which had unwittingly hosted parts of Raccoon0365’s backend, joined forces with Microsoft and the U.S. Secret Service to dismantle the infrastructure and prevent new accounts from being created.
Security experts say the case highlights how phishing-as-a-service has become a democratized business model, where tools are sold cheaply and at scale, turning ordinary users into cybercriminals.
