The Nigeria Police Force National Cybercrime Centre (NPF-NCCC) has launched an extensive investigation into a major international cybercrime operation involving computer-related fraud, phishing, identity theft, malware attacks, and impersonation targeting Microsoft 365 users across several countries.
The probe followed credible intelligence received from Microsoft Office, United States, through the Federal Bureau of Investigation (FBI), which revealed the use of a malicious phishing toolkit known as *RaccoonO365*. The toolkit was reportedly deployed to create fake Microsoft login portals used to harvest user credentials and gain unlawful access to email accounts belonging to corporate organisations, financial institutions, and educational establishments.
In response, the NPF-NCCC commenced a coordinated operation with Microsoft, the FBI and the United States Secret Service. Investigations showed that between January and September 2025, multiple incidents of unauthourized access to Microsoft 365 accounts were linked to phishing emails designed to mimic legitimate Microsoft login pages. These attacks enabled business email compromise, internal phishing, data breaches and other cyber-enabled fraud.
Through advanced digital forensics, technical intelligence analysis and cryptocurrency tracing, investigators identified suspicious wallets connected to cash-out schemes linked to the operation.
Acting on actionable intelligence, NPF-NCCC operational teams were deployed to Lagos and Edo States, leading to the arrest of three suspects, Joshua, James, and Okitipi Samuel, on September 20 and October 4, 2025. Searches conducted at their residences resulted in the recovery of mobile phones, laptops and other digital exhibits connected to the cybercrime network.
Further investigations identified Okitipi Samuel, also known as “Moses Felix”, as the developer and operator of the phishing infrastructure. Authorities revealed that he managed a Telegram channel used to sell phishing links for cryptocurrency payments and hosted fake Microsoft login pages on Cloudflare using stolen or fraudulently obtained email addresses. Investigators also confirmed that he unlawfully used the email details of one of the arrested individuals, without consent, to register some of the accounts used in the operation.
Blockchain analysis traced the cryptocurrency wallets involved to Bitnob and Exodus Wallet platforms, with linked Know-Your-Customer (KYC) information identifying Okitipi Samuel as the sole beneficiary. Evidence indicated that the phishing links he generated facilitated multiple unauthorised intrusions into Microsoft 365 accounts across different jurisdictions, resulting in financial losses and the exposure of sensitive information.
The investigation, however, found no evidence that Joshua and James were involved in the creation or operation of the RaccoonO365 scheme. Authorities disclosed that their personal information and devices were allegedly exploited without their authorisation by the principal suspect.
A prima facie case has been established against Okitipi Samuel for identity theft, unlawful access to computer systems, creation and distribution of malicious software, aiding and abetting fraud, and unauthorised interference with network data. He is expected to be charged under the relevant provisions of the Cybercrimes (Prohibition, Prevention, etc.) Act, 2024.
The Nigeria Police Force, under the leadership of the Inspector-General of Police, IGP Kayode Adeolu Egbetokun, PhD, NPM, reaffirmed its commitment to safeguarding Nigeria’s digital ecosystem and protecting citizens, businesses and institutions from emerging cyber threats.
