Following the Money is a Q&A series that spotlights how Chainalysis customers use our products in the real world — from compliance teams and investigators to pioneers driving crypto adoption.
Maurice Mason is Principal Cybercrime Investigator for Microsoft’s Digital Crimes Unit (DCU).
Give us the breakdown of what is happening in this case.
Microsoft’s Digital Crimes Unit has taken legal action against Storm-2246, also known as RaccoonO365, a fast-growing financially motivated phishing-as-a-service (PhaaS) platform that sold phishing kits targeting Microsoft Office 365 users. The group has been active since at least July 2024 and provided phishing kits designed to steal sensitive information, and perpetrate business email compromise, ransomware, and financial fraud against Microsoft customers, Health-ISAC member organizations, and the public. The group is believed to be led by a Nigeria-based individual Joshua Ogundipe, the group marketed its services on Telegram, where it amassed over 800 members and received at least $100,000 in cryptocurrency payments. Via a court order granted by the Southern District of New York, Microsoft seized 338 associated websites, disrupting communications between the criminal enterprise and victims. We’re also working with international law enforcement and cybersecurity partners to continue to disrupt any new infrastructure that arises to protect customers from future threats.
Phishing-as-a-service is a new(ish) thing. What does this entail?
Phishing-as-a-service (PhaaS) refers to cybercriminals selling ready-made phishing kits or platforms that allow even non-technical users to launch credential-stealing attacks. RaccoonO365’s business model of selling ready-made phishing kits and services for use by other cybercriminals lowers the barrier of entry to cybercrime and fraud, meaning anyone, including those with no coding or hacking expertise, can target unsuspecting victims. The kits are essentially “how-to” or “do-it-yourself” manuals for cybercriminals.
What was one of the most interesting things about communicating with the threat actor? We heard he was asking for tips? Tell us more.
During the investigation, the DCU engaged directly with the threat actor without disclosing our identity to acquire the phishing kits. Notably, during one of the phishing kit purchases the threat actor requested a tip after payment, an unusual but telling gesture that highlights the mindset behind these operations. It’s a reminder that, for many actors, phishing is less about ideology and more about income generation.
In a separate purchase, the actor initially provided a USDT (TRC-20) wallet address, which was later replaced with a different address designated specifically for the kit acquisition. The initial address appears to have been shared inadvertently, indicating a lapse in operational security. This error enabled investigators to trace the associated funds to a wallet hosted on a Nigerian cryptocurrency exchange previously linked to the RaccoonO365 operator through earlier Bitcoin transaction analysis.
This is the first time Microsoft has included crypto in a civil action. Tell us why this is such a big deal.
As cybercrime continues to evolve, the DCU has integrated blockchain and cryptocurrency analysis into our civil enforcement efforts. In this case, cryptocurrency tracing played a pivotal role in attributing illicit activity to a specific individual. By using tools such as Chainalysis Reactor we uncovered patterns and identified the exchanges used by the threat actor to convert illicit gains into usable funds. At the end of the day, cybercriminals engage in these activities to get paid!
These are complex cases that include a lot of different parties — from the public to the private sector. Who else are you working with on this?
The DCU’s core mission is to disrupt and deter cybercrime, promote global trust in Microsoft, and safeguard the digital ecosystem through legal innovation, technical countermeasures, and public-private partnerships. While many threat actors operate from regions where prosecution is challenging, they often host infrastructure in jurisdictions where legal action is possible. This creates strategic opportunities for disruption. Given the evolving nature of the threat, it is imperative that Microsoft protects their customers and prevents further impact from RaccoonO365 services. With the healthcare sector increasingly targeted by RaccoonO365, public safety is at risk, which is why DCU filed this lawsuit in partnership with Health-ISAC, a global non- profit focused on cybersecurity and threat intelligence for the health sector.
Furthermore, the globalized nature of cybercrime underscores the need for international collaboration, particularly across sectors. Public-private partnerships are crucial to tackling cybercrime as law enforcement and tech companies see different aspects of the cybercrime landscape. By joining forces and sharing our insights, we’re able to more effectively dismantle the tools used and disrupt the broader ecosystem to protect users online.
What can other folks in the crypto community take away from this case? What do you want to tell your public and private partners about best practices for tracing crypto crime? I think there can be several things people can take away from this case.
There are several key lessons the crypto community can take away from this case:
- Follow the money
Cryptocurrency remains the preferred payment method for cybercriminals due to its speed and perceived anonymity. Blockchain analysis tools can trace transactions across wallets and exchanges, revealing patterns and connections that support attribution. In this case, a misstep by the threat actor sharing the wrong wallet address enabled investigators to link funds to a known exchange and previously identified actors.
2. Operational security mistakes are opportunities
Threat actors often make mistakes under pressure or during rapid scaling. These errors like reusing wallet addresses or registering domains with fake but traceable info can be exploited by investigators.
3. Public-private partnerships are essential
Microsoft’s DCU worked with law enforcement, industry partners, nonprofits such as the Health-ISAC, and blockchain data analysis firms such as Chainalysis to trace funds and disrupt infrastructure. Collaboration across borders and sectors is the only way to counter the global nature of cybercrime.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.