New Smish: New York Department of Revenue

 As I was visiting SmishTank to report the most recent SMish that I had received (an iMessage from a +27 South African telephone number claiming to be from ParkMobile) I noticed there had been many recent submissions from the New York Department of Revenue. SmishTank is operated by Professor Muhammad Lutfor Rahman, a colleague of mine from our time at UAB, and his student Daniel Timko from California State University San Marcos. 

SmishTank.com is a great resource for recent SMish!

Pennsylvania and Connecticut "Department of Revenue" also observed

The Utah State Tax Commission and the State of California Franchise Tax Board also seen

SMish that Hide from Wrong Browsers

If you visit any of the URLs that are reported by these "Tax Refund" phish, you'll find that they fail to resolve unless you are visiting from a phone. Researchers easily bypass this by using a "User Agent Switcher" which allows a browser, such as Chrome, to claim to be another device with a different browser.  By setting myself to be an "Android KitKat" version of Chrome, the pages render on my Windows PC just fine.  The User Agent Switcher also allows you to enter your own customer User Agents.  Today, this is the one I used ... 

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36

New York Department of Revenue Mobile Phish (SMish)

After switching my browser agent, I chose to visit "revenue.refundjpt[.]cc/notice" to get samples of the phish. The first thing that stands out is that despite the SMish all claiming to be the "New York Department of Revenue" the phishing website calls itself "Department of Taxation and Finance" and makes no reference to any specific state. 

The "Address" page of the phish starts by asking for a Social Security Number, which makes sense if you are interacting about taxation.  With most "bank" phish, that would be an immediate Red Flag, but people who are interacting about taxes would not be alarmed by this.  In the USA, your SSN is the primary identifier for taxes.  Although the "State" is pre-populated to "New York" the footer still references the California Penal Code. 

The next page tells me they would like to refund me $1120 and asks which Credit Card or Debit Card I would like to send the funds to.  The "Bank Routing" option is unavailable, apparently due to "system maintenance." 

The website is using the Luhn algorithm to confirm that the credit card number is valid.  Type any 16 digits starting with a 4 or a 5, then rotate the final number until it stops saying "invalid card number" in red and accepts the number.  My made up number was 4381 6621 8355 371_ and when I changed the last digit to a "6" it became an acceptable Credit Card number.  (I looked it up later, as this was entirely fictitious, but 438166 would mean my card was a Visa Credit Classic issued by Multicredit, S.A., in Guatemala.  Oops!  Its ok, the Chinese scammers didn't care.) 

After this, the criminals sent a text message to the burner phone that I had provided in the Address block. This is a CRITICAL PART OF THEIR STRATEGY!

The "SERCURTITY" verification (yes, securTity) asks for my 6-digit code.  While they say this is because they want my tax refund to be secure, this code is actually the 2-Factor Authentication that allows them to add MY CREDIT CARD to THEIR PHONE's WALLET!

Unfortunately, Guatemala Multicredit SA must have let them know that my credit card didn't really exist, as it booted me back to the credit card page and asked for a different card. This actually happens even if you enter a VALID card.  Why?  The criminals are not interested in sending you a tax refund. They are interested in loading your debit and credit cards onto their phone in Bangkok (or wherever their "machine room" full of spam-sending phones is located.) If you will give them two cards, they will load two.  If you will give them three cards, they will steal all three.  

How does the Stolen Credit Card get used? 

They then deploy "Shoppers" to begin making purchases using your credit card which is now "Tap to Pay" ready on their phone!  The phone is in Bangkok?  No problem.  They use the software "X-NFC" to "remote tap" transmitting the card loaded on the wallet in Asia to the phone standing at the payment til at the Apple Store in Burbank.

I'm attaching a promotional video that the author shares on his Telegram channel.  In the video, the criminal has two phones "above" his Point of Sale device.  He links the NFC capability of one of the top phones to the bottom phone.  He then taps the top "linked phone" to an iPhone holding a credit card in his wallet.  The image of the card is transferred to the bottom phone, which he can then successfully tap on the Point of Sale device.  

In practice, the "bottom phone" would be somewhere in North America.  The person using that phone would call a collaborator in Asia to say they are ready to make a purchase.  The remote agent then taps one of the phones where your Phished credit card is loaded.  That card is now "usable" on the phone in North America, who taps the phone locally to make a payment using the credit card 7500 miles away! 

What Registrars, Hosts, and Domains are part of the current New York campaign?

These iMessage and RCS phish are part of a deployment server where criminals pay a monthly fee to use the phishing sites.  Each criminal can choose how and where they register their domains and how and where they host the phishing websites.  Because they are all renting access to the same catalog of phishing website, the sites may look identical while having very different hosting and registration models.

In this case, the main set of domains is registered at "Dominet (HK) Limited" while the hosting is more difficult since they are hiding behind Cloudflare's Reverse Proxy service.  The bulk of that group's domains for this campaign were registered on September 27, 2025. 

The New York campaign used the hostname "revenue" with URLs using this pattern: 

hxxps://revenue.refundyt[.]cc/notice

hxxps://revenue.refundql[.]cc/notice

hxxps://revenue.refundmj[.]cc/notice

hxxps://revenue.refundrm[.]cc/notice

hxxps://revenue.refundet[.]cc/notice

hxxps://revenue.refundjc[.]cc/notice

hxxps://revenue.refundyt[.]cc/notice

hxxps://revenue.refundxu[.]cc/notice

hxxps://revenue.refundxe[.]cc/notice

hxxps://revenue.refundvs[.]cc/notice

hxxps://revenue.refunduw[.]cc/notice

hxxps://revenue.refundte[.]cc/notice

hxxps://revenue.refundsz[.]cc/notice

hxxps://revenue.refundrm[.]cc/notice

Another group of domains, which was first seen on September 26th and includes 28 domains, some of which were registered today, was also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses the pattern: 

hxxps://revenue.paybds[.]cc/notice

hxxps://revenue.paydjr[.]cc/notice

hxxps://revenue.paydqo[.]cc/notice

hxxps://revenue.payeoc[.]cc/notice

hxxps://revenue.payfgm[.]cc/notice

hxxps://revenue.payfkv[.]cc/notice

hxxps://revenue.paygaa[.]cc/notice

hxxps://revenue.payhqe[.]cc/notice

hxxps://revenue.payidx[.]cc/notice

hxxps://revenue.payjjt[.]cc/notice

hxxps://revenue.payjok[.]cc/notice

hxxps://revenue.paykah[.]cc/notice

hxxps://revenue.paykdr[.]cc/notice

hxxps://revenue.paylsn[.]cc/notice

hxxps://revenue.paymnk[.]cc/notice

hxxps://revenue.paymtj[.]cc/notice

hxxps://revenue.paynds[.]cc/notice

hxxps://revenue.payono[.]cc/notice

hxxps://revenue.payque[.]cc/notice

hxxps://revenue.payquh[.]cc/notice

hxxps://revenue.payryc[.]cc/notice

hxxps://revenue.paysbv[.]cc/notice

hxxps://revenue.paytia[.]cc/notice

hxxps://revenue.payvem[.]cc/notice

hxxps://revenue.payvik[.]cc/notice

hxxps://revenue.paywar[.]cc/notice

hxxps://revenue.payyks[.]cc/notice

hxxps://revenue.payzlr[.]cc/notice

And yet another domain pattern, also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses this pattern: 

hxxps://revenue.paybds[.]cc/notice

hxxps://revenue.paydjr[.]cc/notice

hxxps://revenue.paydqo[.]cc/notice

hxxps://revenue.payeoc[.]cc/notice

hxxps://revenue.payfgm[.]cc/notice

hxxps://revenue.payfkv[.]cc/notice

hxxps://revenue.paygaa[.]cc/notice

hxxps://revenue.payhqe[.]cc/notice

hxxps://revenue.payidx[.]cc/notice

hxxps://revenue.payjjt[.]cc/notice

hxxps://revenue.payjok[.]cc/notice

hxxps://revenue.paykah[.]cc/notice

hxxps://revenue.paykdr[.]cc/notice

hxxps://revenue.paylsn[.]cc/notice

hxxps://revenue.paymnk[.]cc/notice

hxxps://revenue.paymtj[.]cc/notice

hxxps://revenue.paynds[.]cc/notice

hxxps://revenue.payono[.]cc/notice

hxxps://revenue.payque[.]cc/notice

hxxps://revenue.payquh[.]cc/notice

hxxps://revenue.payryc[.]cc/notice

hxxps://revenue.paysbv[.]cc/notice

hxxps://revenue.paytia[.]cc/notice

hxxps://revenue.payvem[.]cc/notice

hxxps://revenue.payvik[.]cc/notice

hxxps://revenue.paywar[.]cc/notice

hxxps://revenue.payyks[.]cc/notice

hxxps://revenue.payzlr[.]cc/notice

refundfg[.]cc was actually a State of Florida tax refund scam, began about 11 days ago.  That campaign differed from this one in that it was hosted openly at TENCENT (AS132203, IP: 170.106.160.91) and shifted to using a different domain pattern: 
revenue.refuAXCV[.]cc
revenue.refuREWJ[.]cc
revenue.refuDZSA[.]cc

pivoting on that IP address, we can use Zetalytic's ZoneCruncher to look at the passive DNS and find many other domains.  Our TenCent phisher who is doing the New York Tax phish is clearly also doing Pennsylvania, and Minnesota! The Passive DNS also shows us other host and domain patterns for New York. 

SMS Pools and what the US Secret Service Really Found Around New York

 Last week the United Nations General Assembly kicked off in New York City.  On the first day, a strange US Secret Service press conference revealed that they had seized 300 SIM Servers with 100,000 SIM cards. Various media outlets jumped on the idea that this was some state-sponsored sleeper cell waiting to destroy telecommunication services around New York.  Like me, you may have immediately wondered why some of the photos showed sophisticated racks of servers on shelves while others showed a hodge podge of devices strewn about the bare floor of an otherwise empty apartment. 

photos extracted from USSS reporting

SIM Pools on Telegram 

Beginning in late 2024, every cell phone in the USA started getting hit hard with annoying messages claiming to be informing us of undelivered packages. In early 2025, this morphed into the famous "Toll Road" phishing messages which started off with messages supposedly about unpaid tolls in Massachusetts Easy Pass and now imitate every toll road system in America. Because the goals of these SMishing messages were to load credit cards onto phones and use them to steal money, DarkTower spent quite a bit of time studying the infrastructure, which is primarily advertised and sold in Telegram channels that we call "Chinese Guarantee Syndicates." I've conducted several briefings about these systems, and have mentioned previously in this blog how they sell SMS-blasting telecom equipment (See: Chinese SMS Spammers Go Mobile ).

The devices found around the NYC tri-state area are a slightly different application of SMS-blasting.

The most famous of the Chinese Guarantee Syndicates, Haowang Guarantee, is part of the US-sanctioned Huione Pay, "The Largest Illicit Online Marketplace" according to Elliptic and WIRED. Haowang has shifted their business to Tudou Danbao, but their vendors continue to offer SMS Modem Pools and associated hardware and software as part of their Crime-as-a-Service empire.  Here's an ad for one such vendor (with its translation):

Let's look at the Telegram channel of Annie, a China-based seller of SMS equipment.  (In Chinese, these are called "Cat Pools" -- I'll explain why at the bottom of this article.)  Most of the posts I'll show are from Chinese-language Telegram channels, so I'll include an English translation.

@Annie068a operates a channel dedicated to selling SMS Gateway equipment

Annie offers SMS Modem Pools in a variety of sizes

SMS Modem Pools have a variety of configurations.  The most basic has 8 modem ports with slots for one SIM card each. On the opposite end of the scale, is a 64 port modem with capacity for 512 SIM cards. (Many of those found by the USSS seem to be 32-port modems with 256 SIM cards.) When there are more SIM cards than modem ports message sending rotates between SIM cards. 

What does Annie suggest you might use your SMS Pool for?  Mostly "Marketing."

The concept, as Annie explains, is that you can route messages from anywhere in the world and have them sent from an SMS pool sitting in the United States and being sent from a US-based SIM, thus having a US telephone number displayed in the caller id.

SMS Pools for Fraud and Phishing

Other Telegram channels are more blatant with suggesting the type of "Marketing" that one might do with the ability to send Bulk SMS messages to other countries.  The Telegram channel "Mini Bulk SMS" provides examples, such as imitating the Irish bank AIB to send phishing emails, or imitating BMF in Austria, Binance in Italy, or doing an Apple refund scam in the US. In SouthEast Asia a major use of Bulk SMS is advertising to gamblers. 

An English-speaking Bulk SMS provider, KathyBulkSMS, also is quite blatant about the criminal nature of the messages she suggests.  Her service also has the ability to send using "Short Message Code" caller IDs. She particularly recommends imitating Coinbase if spamming in the US and says that her recent campaign, sending 170,000 such messages via Verizon, AT&T, and T-Mobile, was "very effective."

Kathy gives other examples, such as imitating Binance and National Australia Bank for the Australian market, but her channel has suggestions for many countries, including Netflix and Crypto campaigns for:  Greece Portugal Austria Ireland Japan Slovakia South Korea and Spain.
 

Cheap SMS Modem Pools and Cheaper SIMs

Not to bust the "Nation-state" theories too hard, but this gear is ridiculously cheap. You can buy most of it used on places like eBay, but the various business-to-business services like "Made In China" have great prices.  Here are a couple examples: a 16-modem 512 SIM-slot 4G SMS Gateway is $1,000.  A 64-modem 512 SIM-slot 4G/3G/2G offering send and receive SMS can range from $2,400 to $4,000 depending on the configuration and software included.

But what about the SIM cards? Don't worry, there are many Facebook groups, and many more Telegram channels that will hook you up. The Telegram user @Zoom557 posts to many Facebook groups using the new criminal-friendly "Anonymous Poster" service. On Telegram he is excited about the new $5 SIM cards offered 

BaronLiu also uses Facebook to push his Telegram SIM card offerings. 

Here are a few of the Facebook groups (all in Chinese) that specialize in SIM card selling. Notice the sizes: 2500 members, 3600 members, 6400 members, and 8700 members. Most of these groups also offer mass account creation and social media spamming services. 

One Telegram vendor of SIM cards was proud to be supplying a variety of US SIM cards.

The same vendor shared the photo below.  This isn't USSS in New York.  This is a deployment in Thailand using a SIM pool to provide Thai-WhatsApp numbers to customers around the world. 

Do eSIMs change the game? Durov has you covered: 

Never one to shy away from offering anonymized criminal services to the masses, Pavel Durov has announced that you can now buy world-wide eSIMs from a special app inside Telegram called @Mobile. After choosing your region and country, you choose the eSim you want, and then can purchase it paying with Pavel's built-in cryptocurrency, TON, or a credit card if you want to be easily traced by law enforcement.

What about those SMS Cats? 

One of the earliest "famous" SMS-phishers who was doing Toll Road phishing was "Darcula." When Darcula's server was unavailable in the summer of 2024, he recommended people use the server "magic-cat.world" to upgrade their software.  Darcula also used a cat as his Telegram profile image.

Darcula was well-and-truly doxed by the excellent researchers at Mnemonic.io -- Erlend Leiknes and Harrison Sand.  I've spoken to them both and they did a great job tearing apart Darcula's code and mapping out the credit card theft associated with it!  

While Darcula was certainly a major player, "Little Gray Cat" was my favorite SMisher at the beginning of our work.  He loved to show off his "Machine Room" full of iPhones all sending automated (and end-to-end encrypted) Toll Road and Package non-Delivery phish.

It wasn't until recently I realized the story of why our SMS phishers have so many "Cat-named" things has to do with the slang for the word "modem." The Chinese term for modem is 调制解调器 (tiáo zhì jiě tiáo qì). Because that's quite a mouthful, young techies began to refer to their modem simply as 猫 (māo).  Here are some of the "Cat" terms I've learned in this research:

A "Cat Card" is a SIM card.  This is the term to search on Chinese Telegram to find people selling SIM cards and related services. 

An "SMS Cat" is device hosting an SMS number either for "marketing/phishing" or for "verification farming." (Verification Farming uses the destination-country SMS number to receive authentication codes. Group-IB's excellent "SMS Pumping" article mentions that "In late 2022, Elon Musk revealed that Twitter was losing around $60 million per year due to SMS pumping fraud. The activity was attributed to 390 telecom operators that allowed bot accounts to exploit Twitter’s two-factor authentication (2FA) system, generating fake SMS traffic to inflate their own revenue.")

A "Cat Control Platform" is the software, hosted on Windows or Linux, that connects to the 

A "Cat Number" is a virtual number ... it may be in an SMS Pool, but it might also be a Google Voice number or other virtual number. 

A "Cat Pool" as we've already discussed, is an SMS Modem Pool.

Postal Thief Arrested in Oregon

The case caught my eye with the headline in the Oregon Live trumpeting:  "Mail theft suspect in Portland made daring 13th-floor balcony escape, later arrested" and saying that the suspect's apartment contained ONE HUNDRED SEVENTY POSTAL KEYS!   But Michael John Peters is not the type of mail thief that I am accustomed to seeing in our investigations.  Most of the check thieves that DarkTower investigates are street gang members and self-proclaimed Hip Hop artists who peddle their checks in Telegram channels.  I wasn't expecting the case to be about a college-educated white male who ran an art gallery in Hawaii! 

https://mauiguide.com/michael-john-peters/

On his YouTube channel, Peters tells how he "reinvented himself" during COVID, creating a painting process he calls "Four Phases Painting" which is actually quite interesting!

https://www.youtube.com/watch?v=bPmWA6Y1qNE

The Check Theft Case

This case began when the US Postal Inspection Service received complaints from a resident in the Arbor Vista apartments in Portland, Oregon that their 27-slot "cluster mailbox unit" (CBU) had been broken into and left unlocked during the night. The complex had video surveillance of a man, later identified as Michael John Peters, entering the apartment complex at 3:33 AM on May 7, 2025. He appeared to use a key to open the CBU.  Several additional complexes in the area also had video surveillance of a similar looking man accessing their apartment buildings at odd hours and stealing their mail.  

Photos from Arbor Vista, Collins Circle, McKenzie Lofts, Sitka Apartments, and Waterfront Pearl all appear to show the same person - a white male usually wearing a backwards baseball cap, carrying a gray backpack, and often with an electric skateboard. 

Images from the USPIS Criminal Complaint

Comparing the stills from video surveillance to online photos, USPIS agents believed that the man in their images was likely Michael John Peters, with matches to his Hawaiian Drivers License.  A still from the video above is also included in the affidavit. 

In one incident, on July 18, 2025, Peters abandons his backpack where agents found three counterfeit postal keys.  One was etched with "GH" which likely referred to Goose Hollow, the neighborhood where Arbor Vista and Collins Circles housing complexes were located. Another key found later was etched "SLAB" which referred to the Slabtown neighborhood of Portland. Of high interest was the presence of a Flipper Zero in the backpack.  The Affidavit from USPIS notes "which can be used to gain access to secured doors and buildings." By laying an access card near a Flipper Zero, a digital recording of the card can be made, which can later be replayed allowing doors to be opened.  (Students of mine used a proof of concept to clone campus access cards at two universities after borrowing my own Flipper Zero.) 

Searching postal records, Peters address in Beaverton, Oregon was found and at least 12 packages were found in their records as having been delivered to either Mike Peters or Michael Peters at that address between October 2024 and July 2025. 

A search of his criminal history showed that he had convictions from 2023 in California for "felony Possession of Identification of Ten or More Persons with Intent to Defraud" and for "Making a Fictitious Check."  He also had a 2023 conviction in Hawaii for 28 felony counts for Unauthorized Possession of Confidential Personal Information, Fraudulent Use of Credit Cards, Theft of Credit Cards, and Theft.

Additional Surveillance images of Peters

Mail Theft Search Warrant Executed 

On September 23rd, based on the extensive video evidence and the probable identification, a search warrant was conducted at the residence of Michael John Peters.  In the US Attorney's press release, it mentions that "In the apartment, investigators found evidence of identity theft including approximately 300 pieces of U.S. mail that were not addressed to Peters, false identification documents, stolen identity documents, and counterfeit checks."

https://www.justice.gov/usao-or/pr/portland-man-charged-stealing-mail

The local media shared more interesting details ... Oregon Live's telling of the story says: 

"In the unit, investigators found more than 170 postal keys, 15 fake identification cards in his name, about 300 pieces of mail, 15 gift cards and check printers" which they credit as being explained by Assistant U.S. Attorney William Narus.  

Peters was arraigned on September 24th and is now in custody pending trial following a detention hearing where he was described as a "serious flight risk" citing an outstanding warrant, a substance abuse problem, and his prior criminal history. 

Microsoft DCU's Takedown of RaccoonO365

 When I saw the name of the Microsoft Digital Crime Unit's latest target, "RaccoonO365" I probably reacted to it differently than most.  With the help of a friend in Lagos, we've been watching the money launderers and things have reached a point that they now refer to what we previously called "Business Email Compromise" or BEC as "O365 Jobs." 

from Microsoft's explainer on RaccoonO365

Microsoft DCU is famous for doing massive takedowns of the infrastructure used by cyber criminals via Civil action in the US courts.  This case is no different, as they filed for an Emergency Temporary Restraining Order in the Southern District of New York in a co-filing with the Health-ISAC.  The venue is justified in their filing in part by showing that New York City was one of the most targeted cities, based on victims that they were able to identify. 

From Microsoft DCU's "Complaint and Summons" against Joshua Ogundipe and John Does 1-4

Microsoft used several methods of determining that Joshua Ogundipe of Nigeria played a key role in this Phishing-as-a-Service enterprise, which began in the summer of 2024 after Microsoft had terminated a similar platform called Fake ONNX. 

A great deal of the infrastructure for RaccoonO365 was hidden behind Cloudflare's Reverse Proxy service and/or using Cloudflare's Domain Registration service, and Microsoft was able to determine that Joshua controlled the associated Cloudflare accounts. 

Microsoft also reveals the LinkedIn account of Joshua Ogundipe, which displays the logo of DIGIhubng and indicates that he lives in Benin City, Edo State, Nigeria. Yet another criminal who works for a company that claims to teach "Ethical Hacking"  ... 

Microsoft demonstrates Josha Ogundipe's LinkedIn Page

Digihubng's Ethical Hacking courses

DigihubNG, formerly "Simple Hacks Workshop" -- "Learn How Hackers Create a fake login page and use it to steal passwords" 

Microsoft & Health-ISAC's Interest in RaccoonO365

The Complaint filed by Microsoft and Health-ISAC, says that "at least 25 healthcare companies, including 9 organizations who are members of Health-ISAC have been hit by RaccoonO365 phishing kits."  In some cases the phishing emails were detected and blocked, while in other cases an employee fell victim to the phish, sharing their credentials to the criminal, however the organizations responded swiftly with password resets for those individuals. 

Microsoft and Health-ISAC charge that the following violations were performed by the RaccoonO365 co-conspirators, harming both organizations and their customers and members.

Count I: Violation of the Computer Fraud and Abuse Act, 18 USC § 1030. 
Count II: Racketeer Influenced and Corrupt Organizations Act, 18 USC § 1962. 
Count III: Conspiracy to Violate RICO, 18 USC § 1962(d). 
Count IV: Violation of Electronic Communications Privacy Act, 18 USC § 2701. 
Count V: (Microsoft only): False Designation of Origin under the Lanham Act, 15 USC § 1125(a). 
Count VI: (Microsoft only): Trademark Infringement Under the Lanham Act, 15 USC § 1114 et seq. 
Count VII: (Microsoft only): Trademark Dilution under the Lanham Act, 15 USC § 1125(c). 
Count VIII: Common Law Trespass to Chattels. 
Count IX: Conversion.
Count X: Unjust Enrichment. 

RaccoonO365 Crypto Addresses

When Microsoft made a test purchase by interacting with the "RaccoonO365" admin on Telegram, they were provided a Bitcoin address, bc1qmlsuqm4p6lme8e2qna3mkj07k8j7vttp0l7ydv, to make their payment.  That address is hosted at the Nigerian cryptocurrency exchange Bitnob.com, and had received deposits 132 times between October 16, 2024 and July 1, 2025, totaling just under $34,000. 

Cloudflare's "Cloudforce One" team also published a list of Indicators of Compromise for RaccoonO365.  They share a different Bitcoin address, bc1qjtlzug5wu7ag8yskn5h2xjd27uetq5cc4sahh5, which went live on July 3, 2025 and received payments through September 13, 2025.  An ERC20 address, also received $2800 between May 7, 2025 and August 29, 2025 (0xf5C2E3749F332175D94C7de7bf7AA8d679E460B7).  The USDT address, TBB5T28b9n2SK8shXb9oq867EcsNE5dZie, also went live the first week of July and received $7,448 through September 12, 2025. Those funds flow to a ChipperCash account, which has more than 5 million downloads in the Google Play Store. The animation on their home page shows people in the United States sending funds to people in Nigeria. 

Cloudflare's IOC list also provided a list of "EDF" - Email Detection Fingerprints - that mention several campaigns including a Maersk phishing campaign, a Zoom-branded phishing campaign, and campaigns imitating DocuSign, Sharepoint, and Adobe. 

The CloudForce One RaccoonO365 report is certainly worth reading in its entirety. They include a  pricing list from the Telegram channel showing the subscription plan rates from 30 days ($355) to 90 days ($999). 

The Taxman Spammeth 

During the 2025 US Tax Season, Microsoft put out an advisory that RaccoonO365 phishers, who are tracked within Microsoft as "Storm-0249", were delivering IRS-themed tax phish that were resulting in malware infections.  The Tax phish, claiming to be from the "IRS Audit Department," was linking to a fake Docusign website that asked the recipient to download and review "IRS Verification Form-2025." 

The same advisory warned that between February 12th and 28th, Microsoft observed at least 2,300 organizations targeted by another RaccoonO365 IRS-themed campaign.  This one had a PDF document that contained a QR-code.  Scanning the QR code forwarded the recipient to "SharedDocumentsO365CloudAuthStorage[.]com" which presented a fake Microsoft login page in an attempt to steal user credentials and cookies. 

From the Microsoft Tax Phishing report

RaccoonO365 Domain Registration Insights

Both Microsoft and Cloudflare provide longs lists of domains used by the RaccoonO365 phishers, many of which share gmail or yahoo email accounts for the registrants. Some of the R-O365 customer clearly have targets within a certain demographic when we look for other domains registered with the same email address.  A few examples: 

"Nawty Boss" is the name used by edmblais@gmail.com.  Some of the domains created by Mr. Boss indicate that he is a long-time Microsoft phisher, who targets law firms and "conveyancing" companies. He registered a clear Microsoft-targeting phishing domain owa-outlookaccess-login[.]us - all the way back on August 8, 2022, but during the time period of R-O365, some of his domains include: 

prioritylegals[.]com
bytheruleslegal[.]com 
bandhlawyers[.]com 
oconnorharis[.]com 
proctorgraham[.]com 
shamonlawyers[.]com 
aslegals[.]com 
boylandlawyers[.]com 
1836conveyancing[.]com 
crystalconveyancing[.]com
nestconveyancing[.]com 
raywardconveyancing[.]com 
keysconveyancing[.]com and many more - at least 27 domains! 

Cheryl Sharp is the name used by oodybugs53@gmail.com to register several construction-themed companies, such as: 

turnerconstructLons[.]com (the real Turner Construction builds things like NFL stadiums and hospitals)
turnerconsstruction[.]com 
turrnerconstructions[.]com 
clarkconstructLion[.]com (the real Clark Construction builds things like Naval Bases and high rises)
clarkconstructionproject[.]com
truxobuild[.]com and several others. 

Many more just stick to Microsoft imitation. For example, Dave White, the name used by thceneda@gmail.com, registered domains such as: 

officedocdrivecloudfile[.]com
officedocdrivecloud[.]com 
officeclouddriveshared365[.]com and others.  

Michael Previte, using the email mchlprevite@gmail.com registered domains such as: 

MSGReceivedAlert[.]com 
Documents-flip[.]com 
Microsoft-Voicemail-EDriveOnline[.]com and others. 

Other gmail accounts of registrants included: drstacywalter, drstacywalterofficial, elaindnck, sjone0884, bruceandrews21, officebox3585, tarakent60, oodybugs53, rmcy987, redirecting.com@gmail.com, jcllay07, rarejnr, keedew12, kimmit205, marketingchairman50, megatechblock247, nwfamsp000, michaelwesleysullivan, rmcy987, jennix18, woodlandmech, keedew12, mbookpro115, owolabimoney31, moorejulian659, theonlyzeus1999, blaketurner826, genedurgin2, goldenheart3890, ky0dx2024, donald.bill100, crasengan073, nwfamsp000.  (And a few non-gmail: loaann1@outlook.com, bclarknorwood@outlook.com, tfloy03@yahoo.com. ) The majority of the domains listed were hiding behind Cloudflare's registration services, which lists "Registrant emails" in the form: hxxps://domaincontact.cloudflareregistrar[.]com/scammerdomain[.]tld (a couple hundred times.)

RaccoonO365 Telegram Channel Insights

The R-O365 Telegram channel made frequent boasts about the ways they were improving their services.

In April they started a Beta of their "RaccoonO365 Mailer" where there service not only helped you with cookie and credential capture, but sent your spam for you as well. 

The price for the new service was either $500 per year. $1000 per year, or $1500 per year, depending on the options selected. 

In August they announced that they were now "a bulletproof cPanel provider." 

In early September they redid their subscription services, (charging a LOT more money!) 

Their last big improvement was announced September 15th.  Just in time for all of their major infrastructure to be kicked off Cloudflare and/or seized by Microsoft's court order!

Raccoon365 Still Kicking 

After Microsoft's court action, the Telegram channel went dark (the last post we saw was September 17, 2025.)  For the sake of completeness, I messaged the admin, whose account is still live, and asked him if there were plans for a new channel. 

It looks like his current focus is selling access to the accounts that he's already compromised.  The pricing plan for phishing has changed considerably as well.  Rather than buying unlimited spamming for a flat monthly rate, now he is charging by the number of "leads" that he sends your phish to, but with guaranteed success rates.  He'll send 50,000 messages, guaranteeing successful log harvesting on 300 accounts, for $1,000.  For $1,500 you get 100,000 messages with 700 guaranteed logs, and for $2,000 you get 200,000 messages sent with 1500 guaranteed logs. 

Current plan as of 22SEP2025

Joshua Kayode Ogundipe?

Goodnews Eguabs is the founder of DigiHubng. He has one Ogundipe friend, James.  

James has a friend named Joshua Kayode Ogundipe.  Could this be our guy?  Inconclusive. 

Microsoft noted that this seemed to be a continuation of the phishing kits created by Abanoud Nady, known online as MRxC0DER who used the brand name "ONNX" to sell his Phishing-as-a-Service. 

While there are many similarities, including the seizure of 240 domains in a very similar TRO, Abanoud Nady was an Arabic-speaking Egyptian. (See:  https://noticeofpleadings.com/fakeonnx/ for more details.) 

An Interesting Associate: TopBoy7x and Phishing Intelligence 

Curiously, one of the users who was authorized to post in the RaccoonO365 Telegram channel was @Topboy7x. TopBoy has paid for an exclusive Telegram-provided "+888" telephone number (+888 0926 4717) and has an Arabic-language Bio on Telegram. 

Top Boy runs the 15,966 subscriber Telegram channel "MiddleMen" and has paid to have several desirable usernames as aliases to his account, including: @safedealagent, @awsfather, @finalizer, @commandment, and @paywithusdt.  By rotating through these accounts in his channels, he may be fooling some users into believing there are multiple vendors vouching for one another.  Nope, its all the same guy. He offers Escrow Services, Corporate Intelligence Services, and Spamming services in many criminal channels, including RaccoonO365.  Why does he have the alias @awsfather?  Because one of his specialty services is selling hacked AWS accounts. 

The messages below are from TopBoy's Telegram channel hxxps://t.me/verticals, where he has been selling hacked accounts since at least July 2024. 

https://t.me/verticals/706

TopBoy's screenshots make it clear that he sells AWS accounts to use as spamming engines.  In this screenshot, the AWS account has "451,323 Remaining Sends" on its daily email limit. 

TopBoy also sells corporate intelligence services, such as selling hacked accounts from Grata.  This screenshot from TopBoy demonstrates how this can be used to research companies in the "Energy" industry, for example, however he also sells hacked account at Pitchbook and Apollo for your intelligence needs. 

Pitchbook offers sales people (or criminal spammers in this case) contact details and job titles for 4.5 million business people.

Other spamming services he sells include Neverbounce Pro, where again, he is selling access to someone else's hacked account: