Microsoft has taken control of nearly 340 websites connected to a Nigerian phishing service called Raccoon0365. This service stole login details from at least 5,000 Microsoft users.

The action came after Microsoft got a US court order in Manhattan to seize domains tied to the subscription-based phishing platform. Raccoon0365 operated through a private Telegram channel with more than 850 members. It allowed users to pretend to be trusted brands and trick people into entering their Microsoft login details on fake websites.

Steven Masada, assistant general counsel for Microsoft’s digital crimes unit, revealed that the service has earned at least $100,000 in cryptocurrency since it started in July 2024. Microsoft identified Nigerian Joshua Ogundipe as the leader of Raccoon0365. He did not respond to requests for comment.

The phishing attacks targeted various industries, with a large focus on organisations in New York City. Between February 12 and 28, 2025, Raccoon0365 used tax-themed phishing emails to target over 2,300 organisations, mainly in the US.

The health sector was also hit, with five healthcare organisations reportedly losing login credentials and 25 others targeted, according to Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center. Weiss warned that hackers gaining access to networks could cause unpredictable and serious problems.

Raccoon0365 used Cloudflare to hide its infrastructure, but Cloudflare worked with Microsoft and the US Secret Service to stop new accounts and disrupt the operations. Blake Darché, Cloudflare’s head of threat intelligence, said the hackers made mistakes but were still very effective.

Masada emphasized that easy-to-use tools like Raccoon0365 make cybercrime open to almost anyone, putting millions of users at risk.