Phishing began as a clumsy trick — a fake email, a misspelled domain, and a few unlucky victims.
Phishing-as-a-service changed that. Groups like RaccoonO365 industrialized the scam: for a small fee, anyone could buy a ready-made phishing kit, spin up convincing Microsoft 365 login pages, and start harvesting user credentials within minutes. No technical skill required.
The impact was global. In less than a year, RaccoonO365 kits were used to steal 5,000 Microsoft credentials across 94 countries. Healthcare organizations were among the targets, putting sensitive patient data at risk if stolen credentials were misused. On Telegram, the group built a thriving underground market of over 800 members, collecting over $100,000 in cryptocurrency.
Then, last month, Microsoft, Health-ISAC, Cloudflare, and global partners struck back. They seized 338 malicious domains and dismantled the network. The headlines called it a disruption. But the milestone behind the scenes was how blockchain evidence, traced with Chainalysis Reactor, played a key role in supporting Microsoft’s first civil enforcement action.
Receipts on the blockchain
Every phishing kit purchase left evidence on the blockchain — proof of how the operators scaled their business.
Microsoft’s Digital Crime Unit (DCU) investigators began with a series of controlled purchases, or “test buys” of the phishing kits, then ran a test phishing attack to see how it functioned in practice.
“During one of the phishing kit purchases, the threat actor requested a tip after payment,” recalled investigators. A scammer asking for gratuity, like a food delivery service — a glimpse of how ordinary this “business” had become.
A single mistake, a critical lead
While negotiating another test buy, the operator first shared a Tron (USDT) wallet address, then replaced it with an Ethereum address, realizing his mistake. That slip — exposing two wallets for the same sale — was the operator’s undoing.
What could have been a routine transaction became a breakthrough in the case — linking RaccoonO365 directly to known infrastructure and a specific user.
Proof that stands in court
For Microsoft’s Digital Crimes Unit, this case was historic. With Reactor, investigators distilled cross-chain transactions into a sequence simple enough to stand in court, turning a complex scheme into clear evidence judges and investigators could follow.
“In this case, cryptocurrency tracing played a pivotal role in attributing illicit activity to a specific individual. By using tools such as Chainalysis Reactor we uncovered patterns and identified the exchanges used by the threat actor to convert illicit gains into usable funds.” — Maurice Mason, Principal Cybercrime Investigator, Microsoft DCU
A model of modern crime
RaccoonO365 is not unique. It is part of a broader trend: cybercrime delivered “as a service,” scalable across borders, accessible to anyone.
The coordinated response shows what works. Industry, government, and technology partners joined forces to dismantle a threat that had harmed thousands of victims. As Microsoft’s DCU noted:
“Public-private partnerships are crucial… by joining forces and sharing insights, we’re able to more effectively dismantle the tools used and disrupt the broader ecosystem.”
Read Microsoft’s account of the operation or consult the public court filings for details.
Reactor: The benchmark, raised for the next generation
When Reactor launched a decade ago, it made the first crypto investigations possible. Today, the stakes are higher: criminal services scale overnight, transactions move across chains in seconds, and investigators face mounting backlogs with finite resources.
That’s why we rebuilt Reactor from the ground up – engineered to set the benchmark for blockchain investigations today and invest ahead of tomorrow’s threats:
- Clarity — see the story immediately, even in the most complex cases.
- Flexibility — adapt any graph to your case, your audience, your workflow.
- Speed — trace funds across chains in real time, across the largest datasets.
- Impact — close cases faster and outpace adversaries.
As the flagship of the Chainalysis Crypto Investigations suite, Reactor sits at the heart of how we help 1,500+ customers build trust in blockchains. Proven in cases like RaccoonO365, it equips investigators worldwide to expose threat actors and protect communities. And when combined with global partnerships, it turns blockchain intelligence into collective action — and collective action into justice.
Existing customers can log in today to experience the difference. New to Reactor? Contact us for a demo and see how it transforms blockchain investigations.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.