The Nigeria Police Force has arrested a Nigerian over a cyberattack that targeted Microsoft 365 users across several countries. The suspect, identified as Okitipi Samuel, was arrested following an international investigation led by Nigeria’s National Cybercrime Centre.
Police said the probe involved close cooperation with Microsoft, the United States Federal Bureau of Investigation, the US Secret Service, and the UK’s National Crime Agency.
The Force Public Relations Officer, Benjamin Hundeyin, disclosed the arrest on Thursday in Abuja while briefing journalists.
How the Microsoft 365 Attack Worked
According to police findings, the cyberattack relied on a phishing toolkit known as “Raccoon 0365”. The toolkit was used to create fake Microsoft login pages. These pages were designed to steal usernames and passwords from unsuspecting users. Hundeyin said the fake portals were used to access email accounts belonging to corporate organisations, banks, and educational institutions worldwide.
“This investigation commenced following credible intelligence received from Microsoft USA through the FBI,” Hundeyin said.
He explained that the phishing emails closely resembled legitimate Microsoft 365 login prompts. Once users entered their details, attackers gained unauthorised access.
Between January and September 2025, police traced multiple cases of account breaches to the same phishing infrastructure.
Digital Trails and Key Arrests
Investigators said digital forensic analysis and cryptocurrency tracing played a key role in the case. Suspicious crypto wallets linked to the operation were identified during the investigation.
This led police teams to Lagos and Edo states. Three suspects were arrested between September 20 and October 4, 2025. Hundeyin named them as Joshua, James, and Okitipi Samuel.
“Searches at their residences led to the recovery of mobile devices, laptops, and other digital exhibits linked to the fraudulent scheme,” he said.
Further investigation identified Okitipi Samuel, also known as Moses Felix, as the main suspect. “The primary suspect… has been identified as the developer and operator of the phishing infrastructure,” Hundeyin added.
Police said Samuel ran a Telegram channel where phishing links were sold for cryptocurrency. The fake login pages were hosted using Cloudflare.
Identity Theft Uncovered
Investigators later discovered that two of the arrested individuals were victims themselves. According to Hundeyin, the identities of Joshua and James were used without their consent.
“There was no evidence linking them to the creation or operation of the phishing scheme. They were victims of identity theft,” he said. The police confirmed that Samuel had used stolen personal details to register accounts connected to the operation.
Authorities say investigations are ongoing as they work with international partners to dismantle the wider network.
I am passionate about crafting stories, vibing to good music (and making some too), debating Nigeria’s political future like it’s the World Cup, and finding the perfect quiet spot to work and unwind.
No Comments