Monday, September 22, 2025

Microsoft DCU's Takedown of RaccoonO365

 When I saw the name of the Microsoft Digital Crime Unit's latest target, "RaccoonO365" I probably reacted to it differently than most.  With the help of a friend in Lagos, we've been watching the money launderers and things have reached a point that they now refer to what we previously called "Business Email Compromise" or BEC as "O365 Jobs." 

from Microsoft's explainer on RaccoonO365

Microsoft DCU is famous for doing massive takedowns of the infrastructure used by cyber criminals via Civil action in the US courts.  This case is no different, as they filed for an Emergency Temporary Restraining Order in the Southern District of New York in a co-filing with the Health-ISAC.  The venue is justified in their filing in part by showing that New York City was one of the most targeted cities, based on victims that they were able to identify. 


From Microsoft DCU's "Complaint and Summons" against Joshua Ogundipe and John Does 1-4

Microsoft used several methods of determining that Joshua Ogundipe of Nigeria played a key role in this Phishing-as-a-Service enterprise, which began in the summer of 2024 after Microsoft had terminated a similar platform called Fake ONNX. 

A great deal of the infrastructure for RaccoonO365 was hidden behind Cloudflare's Reverse Proxy service and/or using Cloudflare's Domain Registration service, and Microsoft was able to determine that Joshua controlled the associated Cloudflare accounts. 

Microsoft also reveals the LinkedIn account of Joshua Ogundipe, which displays the logo of DIGIhubng and indicates that he lives in Benin City, Edo State, Nigeria. Yet another criminal who works for a company that claims to teach "Ethical Hacking"  ... 

Microsoft demonstrates Josha Ogundipe's LinkedIn Page


Digihubng's Ethical Hacking courses

DigihubNG, formerly "Simple Hacks Workshop" -- "Learn How Hackers Create a fake login page and use it to steal passwords

Microsoft & Health-ISAC's Interest in RaccoonO365

The Complaint filed by Microsoft and Health-ISAC, says that "at least 25 healthcare companies, including 9 organizations who are members of Health-ISAC have been hit by RaccoonO365 phishing kits."  In some cases the phishing emails were detected and blocked, while in other cases an employee fell victim to the phish, sharing their credentials to the criminal, however the organizations responded swiftly with password resets for those individuals. 

Microsoft and Health-ISAC charge that the following violations were performed by the RaccoonO365 co-conspirators, harming both organizations and their customers and members.

Count I: Violation of the Computer Fraud and Abuse Act, 18 USC § 1030. 
Count II: Racketeer Influenced and Corrupt Organizations Act, 18 USC § 1962. 
Count III: Conspiracy to Violate RICO, 18 USC § 1962(d). 
Count IV: Violation of Electronic Communications Privacy Act, 18 USC § 2701. 
Count V: (Microsoft only): False Designation of Origin under the Lanham Act, 15 USC § 1125(a). 
Count VI: (Microsoft only): Trademark Infringement Under the Lanham Act, 15 USC § 1114 et seq. 
Count VII: (Microsoft only): Trademark Dilution under the Lanham Act, 15 USC § 1125(c). 
Count VIII: Common Law Trespass to Chattels. 
Count IX: Conversion.
Count X: Unjust Enrichment. 

RaccoonO365 Crypto Addresses

When Microsoft made a test purchase by interacting with the "RaccoonO365" admin on Telegram, they were provided a Bitcoin address, bc1qmlsuqm4p6lme8e2qna3mkj07k8j7vttp0l7ydv, to make their payment.  That address is hosted at the Nigerian cryptocurrency exchange Bitnob.com, and had received deposits 132 times between October 16, 2024 and July 1, 2025, totaling just under $34,000. 

Cloudflare's "Cloudforce One" team also published a list of Indicators of Compromise for RaccoonO365.  They share a different Bitcoin address, bc1qjtlzug5wu7ag8yskn5h2xjd27uetq5cc4sahh5, which went live on July 3, 2025 and received payments through September 13, 2025.  An ERC20 address, also received $2800 between May 7, 2025 and August 29, 2025 (0xf5C2E3749F332175D94C7de7bf7AA8d679E460B7).  The USDT address, TBB5T28b9n2SK8shXb9oq867EcsNE5dZie, also went live the first week of July and received $7,448 through September 12, 2025. Those funds flow to a ChipperCash account, which has more than 5 million downloads in the Google Play Store. The animation on their home page shows people in the United States sending funds to people in Nigeria. 

Cloudflare's IOC list also provided a list of "EDF" - Email Detection Fingerprints - that mention several campaigns including a Maersk phishing campaign, a Zoom-branded phishing campaign, and campaigns imitating DocuSign, Sharepoint, and Adobe. 

The CloudForce One RaccoonO365 report is certainly worth reading in its entirety. They include a  pricing list from the Telegram channel showing the subscription plan rates from 30 days ($355) to 90 days ($999). 



The Taxman Spammeth 

During the 2025 US Tax Season, Microsoft put out an advisory that RaccoonO365 phishers, who are tracked within Microsoft as "Storm-0249", were delivering IRS-themed tax phish that were resulting in malware infections.  The Tax phish, claiming to be from the "IRS Audit Department," was linking to a fake Docusign website that asked the recipient to download and review "IRS Verification Form-2025." 

The same advisory warned that between February 12th and 28th, Microsoft observed at least 2,300 organizations targeted by another RaccoonO365 IRS-themed campaign.  This one had a PDF document that contained a QR-code.  Scanning the QR code forwarded the recipient to "SharedDocumentsO365CloudAuthStorage[.]com" which presented a fake Microsoft login page in an attempt to steal user credentials and cookies. 

From the Microsoft Tax Phishing report

RaccoonO365 Domain Registration Insights

Both Microsoft and Cloudflare provide longs lists of domains used by the RaccoonO365 phishers, many of which share gmail or yahoo email accounts for the registrants. Some of the R-O365 customer clearly have targets within a certain demographic when we look for other domains registered with the same email address.  A few examples: 

"Nawty Boss" is the name used by edmblais@gmail.com.  Some of the domains created by Mr. Boss indicate that he is a long-time Microsoft phisher, who targets law firms and "conveyancing" companies. He registered a clear Microsoft-targeting phishing domain owa-outlookaccess-login[.]us - all the way back on August 8, 2022, but during the time period of R-O365, some of his domains include: 

prioritylegals[.]com
bytheruleslegal[.]com 
bandhlawyers[.]com 
oconnorharis[.]com 
proctorgraham[.]com 
shamonlawyers[.]com 
aslegals[.]com 
boylandlawyers[.]com 
1836conveyancing[.]com 
crystalconveyancing[.]com
nestconveyancing[.]com 
raywardconveyancing[.]com 
keysconveyancing[.]com and many more - at least 27 domains! 

Cheryl Sharp is the name used by oodybugs53@gmail.com to register several construction-themed companies, such as: 

turnerconstructLons[.]com (the real Turner Construction builds things like NFL stadiums and hospitals)
turnerconsstruction[.]com 
turrnerconstructions[.]com 
clarkconstructLion[.]com (the real Clark Construction builds things like Naval Bases and high rises)
clarkconstructionproject[.]com
truxobuild[.]com and several others. 

Many more just stick to Microsoft imitation. For example, Dave White, the name used by thceneda@gmail.com, registered domains such as: 

officedocdrivecloudfile[.]com
officedocdrivecloud[.]com 
officeclouddriveshared365[.]com and others.  

Michael Previte, using the email mchlprevite@gmail.com registered domains such as: 

MSGReceivedAlert[.]com 
Documents-flip[.]com 
Microsoft-Voicemail-EDriveOnline[.]com and others. 

Other gmail accounts of registrants included: drstacywalter, drstacywalterofficial, elaindnck, sjone0884, bruceandrews21, officebox3585, tarakent60, oodybugs53, rmcy987, redirecting.com@gmail.com, jcllay07, rarejnr, keedew12, kimmit205, marketingchairman50, megatechblock247, nwfamsp000, michaelwesleysullivan, rmcy987, jennix18, woodlandmech, keedew12, mbookpro115, owolabimoney31, moorejulian659, theonlyzeus1999, blaketurner826, genedurgin2, goldenheart3890, ky0dx2024, donald.bill100, crasengan073, nwfamsp000.  (And a few non-gmail: loaann1@outlook.com, bclarknorwood@outlook.com, tfloy03@yahoo.com. ) The majority of the domains listed were hiding behind Cloudflare's registration services, which lists "Registrant emails" in the form: hxxps://domaincontact.cloudflareregistrar[.]com/scammerdomain[.]tld (a couple hundred times.)

RaccoonO365 Telegram Channel Insights

The R-O365 Telegram channel made frequent boasts about the ways they were improving their services.

In April they started a Beta of their "RaccoonO365 Mailer" where there service not only helped you with cookie and credential capture, but sent your spam for you as well. 



The price for the new service was either $500 per year. $1000 per year, or $1500 per year, depending on the options selected. 

In August they announced that they were now "a bulletproof cPanel provider." 


In early September they redid their subscription services, (charging a LOT more money!) 

Their last big improvement was announced September 15th.  Just in time for all of their major infrastructure to be kicked off Cloudflare and/or seized by Microsoft's court order!


Raccoon365 Still Kicking 

After Microsoft's court action, the Telegram channel went dark (the last post we saw was September 17, 2025.)  For the sake of completeness, I messaged the admin, whose account is still live, and asked him if there were plans for a new channel. 




It looks like his current focus is selling access to the accounts that he's already compromised.  The pricing plan for phishing has changed considerably as well.  Rather than buying unlimited spamming for a flat monthly rate, now he is charging by the number of "leads" that he sends your phish to, but with guaranteed success rates.  He'll send 50,000 messages, guaranteeing successful log harvesting on 300 accounts, for $1,000.  For $1,500 you get 100,000 messages with 700 guaranteed logs, and for $2,000 you get 200,000 messages sent with 1500 guaranteed logs. 

Current plan as of 22SEP2025


Joshua Kayode Ogundipe?

Goodnews Eguabs is the founder of DigiHubng. He has one Ogundipe friend, James.  
James has a friend named Joshua Kayode Ogundipe.  Could this be our guy?  Inconclusive. 


Microsoft noted that this seemed to be a continuation of the phishing kits created by Abanoud Nady, known online as MRxC0DER who used the brand name "ONNX" to sell his Phishing-as-a-Service. 
While there are many similarities, including the seizure of 240 domains in a very similar TRO, Abanoud Nady was an Arabic-speaking Egyptian. (See:  https://noticeofpleadings.com/fakeonnx/ for more details.) 

An Interesting Associate: TopBoy7x and Phishing Intelligence 

Curiously, one of the users who was authorized to post in the RaccoonO365 Telegram channel was @Topboy7x. TopBoy has paid for an exclusive Telegram-provided "+888" telephone number (+888 0926 4717) and has an Arabic-language Bio on Telegram. 


Top Boy runs the 15,966 subscriber Telegram channel "MiddleMen" and has paid to have several desirable usernames as aliases to his account, including: @safedealagent, @awsfather, @finalizer, @commandment, and @paywithusdt.  By rotating through these accounts in his channels, he may be fooling some users into believing there are multiple vendors vouching for one another.  Nope, its all the same guy. He offers Escrow Services, Corporate Intelligence Services, and Spamming services in many criminal channels, including RaccoonO365.  Why does he have the alias @awsfather?  Because one of his specialty services is selling hacked AWS accounts. 

The messages below are from TopBoy's Telegram channel hxxps://t.me/verticals, where he has been selling hacked accounts since at least July 2024. 

https://t.me/verticals/706

TopBoy's screenshots make it clear that he sells AWS accounts to use as spamming engines.  In this screenshot, the AWS account has "451,323 Remaining Sends" on its daily email limit. 

TopBoy also sells corporate intelligence services, such as selling hacked accounts from Grata.  This screenshot from TopBoy demonstrates how this can be used to research companies in the "Energy" industry, for example, however he also sells hacked account at Pitchbook and Apollo for your intelligence needs. 


Pitchbook offers sales people (or criminal spammers in this case) contact details and job titles for 4.5 million business people.


Other spamming services he sells include Neverbounce Pro, where again, he is selling access to someone else's hacked account: 







Sunday, September 14, 2025

Indian Call Center Scammers partner with Chinese Money Launderers

 


At the end of August 2025, The US Attorney's office in San Diego announced four indictments against members of a Chinese organized crime ring that stole at least $65 million from thousands of older Americans.  The case was notable because the US Attorney credited two YouTube channels with the leads that led to 25 arrests so far in California, New York, Texas, and Michigan. 

When we see 25 Chinese arrests, it might be tempting to think this is all Chinese Organized Crime, but those who actually watch the videos will realize that's not the case.  The referenced videos are from late 2020 and early 2021 and each started with Scammer Payback (Pierogi) responding to a refund scam.

Indian Call Center operators refer to this type of "lead generation" as "email blasting" and we have tens of thousands of example posts from Facebook groups offering the "service" of sending bogus Microsoft Defender emails, claiming that the victim's credit card is being charged and offering a telephone number to dispute the charge. The ads for this service in Tech Support Facebook groups have been constant for years, including ads as recently as this week: 


A typical "Microsoft Defender Refund" from this time period looked like this: 


We've called dozens of these numbers and they all follow a similar script, they convince the caller to allow remote control to their computer to assist them with the "refund." We often feed a Virtual Machine to the scammers and use it to help us understand what remote control tool they are using and where it is hosted.  But Scammer Payback goes quite a bit further! 

When Pierogi received the numbers from a similar call center scam, he called the number.  His video makes clear that the scammers he was communicating with were speaking Hindi to one another. He not only lets the remote control happen, but he helpfully has a bank account open.  The scammers see the millions of dollars available and can't help themselves.  He is a juicy target!
Scammer Payback: https://www.youtube.com/watch?v=hrLZbc-Rfbo

The scammers have Pierogi type in his own refund amount - but they alter it to make it appear that he typed too many digits resulting in a much larger than intended refund.  Then they demand that he withdraw the difference in cash and ship it back to "them."

Being a very compliant victim, Scammer Payback agrees immediately, taking down the address and agreeing to send the package of cash "overnight delivery." At this point, Pierogi engages the Trilogy media team. Trilogy agrees to take their camera crew to the pick up site to find out who is on the other end of the package. 

Trilogy Media: https://www.youtube.com/watch?v=in_Y5q_-F2Y

But in three out of three cases where Pierogi uses Trilogy to deliver a cash package, the package is being sent to a young Chinese person who is at an Air BNB that has been rented for a very short time period. 

We actually have seen this model in other cases ... in 2022, we write about the case of Jianjie Liu on this blog in a post called "Chinese Call Center Runner Pleads Guilty in Georgia."  


Jianjie Liu did cash pickups for a wide variety of scams, including Grandparent scams, Inheritance scams, and Government Grant Scams.  She was actually arrested in a case involving Walmart Gift Cards that led to the discovery of 718 Gift Cards in her vehicle. In one case almost exactly like those above, Liu was sent a $20,000 Cashier's check after someone processing a $555 refund was accidentally refunded $20,555 and had to send the difference back to the scammers.  The check was made payable to a shell company in Georgia controlled by Liu.

Where do these Chinese agents doing the cash, check, and gift card payment come from? Recently it is one of the most popular "Crime As A Service" offerings from the various Chinese Guarantee Syndicates.  Each of the Guarantee Syndicates has a menu of vendors who have made a large deposit in USDT in order to have the right to sell their services there.  This category is usually called some variation of "Collection Services." 

You may have heard of "Huione Pay" which is generally considered the largest of the Chinese Guarantee Syndicates.  FinCEN took action, with an announcement that "Cambodia-based Huione Pay" is a money laundering concern, and proposing new Rule-making calling them a "Primary Money-Laundering Concern" to combat this type of cybercrime.  After this announcement, Huione migrated most of their vendors over to a former competitor, Tudou Danbao (which means "Potato Guarantee.")

The "Buy and Sell" channel for Potato currently has 130,000 subscribers, while one of their primary channels has 209,000 subscribers.  Category 2 on their vendor menu is "Collection Services" which currently has 656 vendors who have paid deposits between 15,000 USDT and 259,000 USDT to have their services recommended and advertised by the new Guarantee Syndicate.  These are the teams that are offering cash pickup services across the United States.

(findings from non-profit Intelligence for Good)

Many other Guarantee Syndicates have dozens to hundreds of similar vendors in their respective Collection Services vendor category.  Here is a typical ad, boasting of the cities where the vendor maintains teams of workers, ready to pick up packages: 



The US Financial Crimes Enforcement Network (FinCEN) has issued two recent reports about Chinese Money Laundering Networks.  One is an advisory regarding the use of Chinese Money Laundering Networks by drug cartels from Mexico.  The other has detailed analysis on several different models used by Chinese Money Laundering networks.


Several "Red Flags" are shared as advice to Financial Institutions to help them recognize CMLO behaviors that should be reported via Suspicious Activity Reports: 









Saturday, September 13, 2025

Attorney Generals go after Bitcoin ATMs for supporting Fraud

On 08SEP2025, the District of Columbia's Attorney General filed a lawsuit against Athena, a "Bitcoin ATM machine" provider with 4100+ BTMs installed. Athena charges as much as a 26% fee when someone deposits cash to buy cryptocurrency. More importantly, the lawsuit claims that 93% of all deposits into Athena “BTMs” in the DC area were made by scam victims.

The main argument made by this lawsuit is that Athena knows that it is facilitating fraud, it is making substantial profit from that fraud (up to 26% per transaction), and that it refuses to refund money to the victims, despite 1/4th of the money still being in Athena's coffers after a transaction!  

https://oag.dc.gov/sites/default/files/2025-09/Athena%20Complaint.pdf


The DC AG goes further, with a very significant accusation:

"Athena also has allowed elderly consumers to deposit very large amounts of cash over short time periods into wallets that Athena knew had already been used by other scam victims. Athena’s ineffective oversight procedures have created an unchecked pipeline for illicit international fraud transactions." 


 The DC AG's lawsuit claims that the average age of the victims who were enticed to depositing fraud funds into an Athena BTM in their district was 71 and that half of them deposited at least $8000!

Despite included statistics showing only 1.2% of elders invest in Bitcoin, the vast majority of BTM deposits are made by those over the age of 60. The FBI’s IC3.gov in 2023 reported $124 Million in Bitcoin ATM scams against those over 60, compared to $33 Million for all other ages combined.

In response to the common claim that Bitcoin ATMs are intended to help the "unbanked", there is nothing to support that claim. Compare that statistic to an FDIC Survey of "unbanked" Americans, which showed that only 1.2% of "unbanked" citizens use crypto for any reason other than "Investment." I loved this survey question by the FDIC in their 2023 survey.

https://www.fdic.gov/household-survey/2023-fdic-national-survey-unbanked-and-underbanked-households-report


The FDIC Survey also broke down crypto usage by household income.

While the DC AG's lawsuit is significant, it was not the first. Iowa's Attorney General filed two similar lawsuits, one against Coinflip and the other against Bitcoin Depot. (Click to see a list of the Factual Allegations for each.) Iowa's lawsuits show that Coinflip BTMs in Iowa were used to assist in the theft of $13 Million from scam victims between Jan 2021 and June 2024, while Bitcoin Depot BTMs in Iowa were used to assist in the theft of $7.2 Million between October 2021 and July 2023. That's $20 Million in scams in a state with only 3.2 million residents.

My favorite quote from Iowa:

“At best, Bitcoin Depot is a willfully blind participant in the victimization of hundreds of Iowans. At worst it is a silent partner to many scammers’ preying on Iowans, taking a cut of each scam with its excessive and deceptive BTM fees that are further paired with a lack of refunds.”

This analyst would believe that statement could be applied to every “Bitcoin ATM” in every state.

Coinflip Lawsuit
Bitcoin Depot Lawsuit

While the process of using a BTM involves the display of several warnings and disclaimers, the lawsuits point out that the elderly victims of these scams are almost always on the phone with a scammer while they conduct the transaction, who is warning them to ignore all of these disclaimers. But the disclaimer itself is given as evidence that the BTM providers are fully aware that their company is being used to facilitate significant volumes of fraud against the elderly, and that this fraud is providing significant revenue to said companies. These images are from the DC AG v. Athena complaint:

Bitcoin Depot has over 8,000 BTMs, but boasts more than 16,000 locations where you can buy cryptocurrency (including their "BDCheckout" where you can purchase crypto at a cash register.) Here's a location breakdown by state, including 414 Iowa locations (and 399 in my home state, Alabama!):

http://branches.bitcoindepot.com/

Coinflip has over 5500+ BTM locations and claims to have processed at least $4 Billion in transactions. But what percentage of those transactions are fraudulent?

https://coinflip.tech/about

Friday, September 12, 2025

Chinese Guarantee Syndicates and the Fruit Machine

When I was speaking to a group of Bank Security people in New York City yesterday, I mentioned "machine rooms" -- which are rooms full of Apple iPhones that are used to send iMessage phishing spam. Someone in the audience asked "Where would they get that many phones?"

The kids like to use the acronym "IYKYK" (If You Know You Know).  I learn new IYKYK phrases in Chinese Telegram every day. 

Today's new favorite phrase? 水果机 - Shuǐguǒ jī - "Fruit machine." 

 Example usage: 🔥低价出正品水果机 ("Genuine fruit machines at low prices") 

Fruit machine is coded language for Apple iPhones.

Huione Pay Advertisements for iPhone Smugglers

This advertiser pays HuionePay's Haowang Guarantee for the right to share an ad for their group once each hour in Huione, their highest rate, so that one line advertisement is posted 24 times per day to Haowang Guarantees "buy and sell" group. 

What? You thought Telegram had banned HuionePay? hahahahahaha ... but they do try to hide their traffic by rebranding their "Crime As A Service" vendors to be "Potato Guarantee" rather than Haowang Guarantee.


Group: "Yongle smuggles Apple phones"
The Chinese characters above the "danbao" spell "Potato" (tǔ dòu)
The Chinese characters below "danbao" are "Guarantee" (dān bǎo)

Links shared by this advertiser go to a 38,438 member "Potato Guarantee" group called "Yongle smuggles Apple phones" and share that Yongle has deposited "208,000 USDT" in order to insure that your transactions are safe. (The "Trust Model" of the Chinese Guarantee Syndicates is that vendors make a deposit to be listed in the vendor directory and the Syndicate promises that any transaction up to the level of the deposit will be backed by the Syndicate should anything go wrong.)

(Google translated)

The welcome message for the group says:

"Various models of iPhone are available, all smuggled into the country as brand new, unopened, and unactivated official Chinese versions, suitable for personal use or resale." They go on to say that your phone will be delivered within 72 hours and that if it is shown to be used, they will refund 10x your purchase price!

Another September ad using the "Fruit machine" language in a major HuionePay group also now goes to a "Potato Guarantee" group with 12,154 members. (Group 2851, with a 38,000 USDT Deposit) The translated "welcome" message when joining the group calls the group "Xili Smuggles mobile phones and digital products" and promises "Various models of iPhone are available, all smuggled into the country as brand new, unopened, and unactivated national versions, suitable for personal use or resale."

Group: "Xili Smuggles Mobile Phones and Digital Products"

Xili, who prefers to call himself "Heineken," is currently taking deposits for iPhone 17s. He also will throw in an Apple watch if you pay 1000 Yuan extra. Currently he charges 5999 Yuan for an iPhone 16 ProMax 1TB, or approximately $850. 

Xili / Heineken's most recent advertisement

If that whole thing sounds insane, I would encourage you to read the book "Apple in China" by Patrick McGee. Smuggling iPhones is an EXTREMELY lucrative organized crime business in China!

There are of course many more Guarantee Syndicates, with many thousands of vendors who have paid to advertise their "Crime As A Service" offerings, from Gift Card and Cash Pickups, SMS/iMessage/RCS Phishing, Credit Card Theft, Trade-based Money Laundering and anything else you can imagine, from Human Trafficking to Cigarette smuggling.  

Here are a few that we are tracking ... 

#HuionePay #CMLO #Apple #iPhones #Guarantee #Danbao #Haowang #iMsgSpam #SMS #Smishing