Okitipi Samuel, also known as Moses Felix, an international cybercrime syndicate has been arrested for allegedly being the developer behind the Raccoon 0365 phishing toolkit.
The Nigeria Police Force National Cybercrime Centre (NPF-NCCC) announced the breakthrough on Thursday, December 18, after a year-long investigation involving the FBI, Interpol, and Microsoft’s Digital Crimes Unit.
Raccoon 0365 operated as a Phishing-as-a-Service (PhaaS) model, allowing low-skilled criminals to rent sophisticated hacking tools for approximately $355 per month.
Between January and September 2025, the toolkit was used to harvest over 5,000 Microsoft 365 credentials from 94 countries, targeting healthcare providers, financial institutions, and government agencies.
The operation gained global attention for its ability to bypass Multi-Factor Authentication (MFA) using deceptive Cloudflare Turnstile CAPTCHAs to trick users into feeling secure.
In September 2025, Microsoft successfully seized 338 domains linked to the infrastructure, leading investigators directly to the digital footprints of the developer in Nigeria.
While three individuals were initially detained in Lagos and Edo states, police cleared two suspects Joshua and James, ruling that they were victims of identity theft, whose details were used by Samuel to register malicious infrastructure without their consent.
Investigators used advanced blockchain forensics to trace cryptocurrency wallets used to sell phishing links on Telegram. Samuel allegedly managed a channel with over 850 members, receiving over $100,000 in digital payments.
Despite the global scale of the crime and involvement of the FBI, Nigeria has opted to prosecute Samuel locally under the Cybercrimes Act, 2024, which carries a maximum sentence of 10 years for attacks on critical infrastructure.
Force PRO Benjamin Hundeyin lauded the arrest as a testament to Nigeria’s growing digital sovereignty and technical capacity. The NPF-NCCC claims to have “cut the head off the snake”, by unmasking the developer rather than just the end-users, and also disabling a tool that was sending up to 9,000 malicious emails daily.
Okitipi Samuel remains in custody and is to be arraigned in a Federal High Court by early January 2026. Meanwhile, Microsoft has begun a mass-notification process for the 5,000+ compromised account holders to reset their security protocols.
