This month focuses on the Racoon0635 Phishing Service, Interpol’s Operation Contender, and the LightHouse and Lucid Phishing-as-a-Service Platforms.
Microsoft’s Digital Crime Unit Puts a Halt On Racoon 0635 Activities
Microsoft’s Digital Crimes Unit (DCU) successfully disrupted RaccoonO365, a rapidly growing cybercrime tool used to steal Microsoft 365 usernames and passwords.
Summary
- Acting under a court order from the Southern District of New York, Microsoft seized 338 websites linked to RaccoonO365, effectively cutting off its technical infrastructure.
- RaccoonO365 (tracked as Storm-2246) operated as a subscription-based phishing kit service, enabling low-skilled criminals to create realistic phishing campaigns using fake Microsoft branding.
- Since July 2024, the phishing kits have stolen at least 5,000 Microsoft credentials across 94 countries, highlighting the global reach of the threat.
- The phishing campaigns target all sectors
- Attacks often serve as a gateway to more serious intrusions, such as malware and ransomware, resulting in delayed care, compromised data, and financial losses.
- Health-ISAC, a global non-profit focused on health sector cybersecurity, partnered with Microsoft in the lawsuit to strengthen the protection of healthcare organizations.
- RaccoonO365 evolved rapidly, adding features like AI-MailCheck, which uses artificial intelligence to enhance phishing sophistication and scale operations.
- The service allowed subscribers to target up to 9,000 email addresses per day and included multi-factor authentication bypass techniques, making it highly dangerous.
- Microsoft identified Joshua Ogundipe, based in Nigeria, as the group’s leader. He and his associates managed operations, sold subscriptions, and offered support to other cybercriminals.
- The group used Telegram for marketing and payments, amassing 850+ members and earning at least US$100,000 in cryptocurrency, likely an undercount of total revenue.
- Microsoft’s investigation revealed that Ogundipe has a background in computer programming and authored most of the phishing kit’s code, confirmed through a cryptocurrency wallet trace.
- The DCU collaborated with partners like Cloudflare to seize malicious infrastructure and integrate tools like Chainalysis Reactor for blockchain-based evidence gathering.
- Microsoft emphasizes that international cooperation is essential, as inconsistent global laws allow cybercriminals to evade prosecution across borders.
- The case demonstrates the power of cross-sector collaboration—between tech companies, security firms, governments, and nonprofits—to disrupt global cybercrime networks and strengthen digital safety.
- Read more about it here
INTERPOL’s Operation Contender 3.0
Operation Contender 3.0, conducted from 28 July to 11 August 2025, led to the arrest of 260 suspects and the seizure of 1,235 electronic devices across 14 African countries, targeting cyber-enabled crimes like romance scams and sextortion.
Summary
- The operation focused on transnational criminal networks exploiting social media and digital platforms to manipulate victims emotionally and extract money or sensitive content.
- Authorities identified 1,463 victims with financial losses estimated at nearly USD 2.8 million, alongside the takedown of 81 cybercrime infrastructures.
- Ghana made the largest number of arrests (68 suspects), seizing 835 devices and identifying 108 victims, recovering USD 70,000 of USD 450,000 lost through romance scams and sextortion schemes.
- Other notable actions included Senegal’s arrest of 22 suspects involved in celebrity impersonation scams defrauding victims of USD 34,000, and Côte d’Ivoire’s dismantling of a major sextortion network with 809 victims identified.
- The operation was supported by private sector partners like Group-IB and Trend Micro, and funded by the UK’s Foreign, Commonwealth and Development Office, highlighting the strength of public-private collaboration in combating cybercrime.
- INTERPOL emphasized a sharp rise in cyber-enabled crimes across Africa, with its 2025 Africa Cyberthreat Assessment Report revealing that two-thirds of African countries consider cyber offences a medium-to-high proportion of all criminal activity.
- Read more about it on the Interpol Website.
Phishing-as-a-Service with Lighthouse and Lucid
Over 17,500 phishing domains linked to the Lighthouse and Lucid PhaaS platforms have targeted 316 brands across 74 countries, showing the massive global reach of these phishing ecosystems.
Summary
- PhaaS services like Lucid and Lighthouse offer ready-made phishing templates for hundreds of global brands, enabling cybercriminals—often with minimal technical skill—to run large-scale credential theft campaigns for a monthly subscription fee.
- Lucid, created by the Chinese-speaking XinXin group, is capable of sending phishing (and smishing) messages through Apple iMessage and Android RCS, targeting industries like finance, postal services, government, and toll companies.
- Lighthouse, developed by LARVA-241, mirrors Lucid’s structure, providing customizable phishing templates, real-time victim monitoring, and attacks across 200+ platforms. Subscriptions range from $88 per week to $1,588 per year.
- Both platforms employ geo-targeting and access restrictions so that only intended victims can view phishing pages, while non-targets see fake storefronts, complicating takedown and analysis efforts.
- Phishing tactics are evolving: criminals are moving away from Telegram to email-based credential harvesting, with Netcraft noting a 25% increase in email phishing, often using EmailJS to steal credentials and 2FA codes.
- Attackers are also deploying homoglyph domains, using characters like the Japanese “ん” to mimic legitimate URLs in crypto-related scams—over 600 fake domains have been detected, tricking users into installing malicious wallet extensions.
- Broader scams have emerged, impersonating major U.S. brands like Delta Airlines and Universal Studios, luring victims into “task-based earning” schemes that require crypto deposits, reflecting how API-driven brand impersonation is fueling financially motivated fraud.
- Read more about it here
Sources
- https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/
- https://www.interpol.int/en/News-and-Events/News/2025/260-suspected-scammers-arrested-in-pan-African-cybercrime-operation
- https://thehackernews.com/2025/09/17500-phishing-domains-target-316.html