Podcast Summary: Cybersecurity Today — Arrests In O365 Scheme With David Shipley

Host: David Shipley
Episode Date: December 22, 2025

Overview

In this episode of Cybersecurity Today, David Shipley explores four major cybersecurity developments with global impact: a crackdown on a Nigerian Microsoft 365 phishing platform, a massive ATM jackpotting scheme linked to terrorist financing, a shocking case of insider ransomware attacks, and Denmark’s formal attribution of a destructive cyberattack on its water utilities to Russian state-linked actors. Shipley breaks down the international coordination behind cybercrime enforcement and the emerging threats businesses must monitor, all flavored with his journalistic insight and urgent, no-nonsense delivery.

Key Discussion Points & Insights

1. Nigerian Microsoft 365 Phishing Platform Bust

[00:21–03:40]

Three suspects arrested: Nigerian National Cybercrime Centre, acting on intelligence shared by Microsoft and the FBI, arrested three individuals tied to “Raccoon O365,” a phishing-as-a-service toolkit.
Raccoon O365 details:
- Automated the creation of fake Microsoft login pages.
- At least 5,000 compromised Microsoft 365 accounts across 94 countries.
- Used for widespread business email compromise, data theft, and fraud.
Key suspect: Okatipi Samuel, who used aliases “Raccoon0365” and “Moses Felix,” is believed to have created and operated the platform, marketing it via a Telegram group with over 800 members.
Subscription model: Access sold for $350 a month or $1,000 for three months, with payments typically in cryptocurrency.
Law enforcement collaboration: Raccoon O365’s infrastructure was disrupted in September by Microsoft and Cloudflare.
- “The arrests were carried out by Nigeria’s police force National Cybercrime center, following intelligence shared by Microsoft through the FBI, underscoring the increasing international nature of cybercrime investigations.” — David Shipley [00:46]
Missing figure: Notably, Joshua Ogundbip, previously identified as a leader, was not mentioned among those arrested.

2. ATM Jackpotting Scheme Linked to Terrorism

[03:41–06:50]

Scale of the scheme: U.S. prosecutors charged 54 individuals with running a multi-year ATM malware scam using the “Plotus” malware.
Operation details:
- Physical installation of malware onto ATMs to force machine payout (“jackpotting”).
- Losses exceeded $40 million in more than 1,500 incidents since 2021.
Criminal organization: Linked to “Trend Agua,” a Venezuelan group designated as a foreign terrorist organization by the U.S. State Department.
Sophisticated approach:
- Recruited individuals to scout and test ATM security before deploying malware.
- Plotus could be launched via removable devices or hard drive swaps.
- Designed to erase forensic evidence.
Money flow:
- “Prosecutors allege those funds were funneled back to Trend Agua leadership to support broader criminal and terrorist activities.” — David Shipley [06:10]
Severe consequences: Some defendants face up to three centuries in prison.

3. Insider Ransomware: Trusted Responders Turned Attackers

[06:51–09:30]

Who: Two incident response professionals, Ryan Clifford Goldberg (Signia) and Kevin Tyler Martin (Digital Mint).
What: Pleaded guilty to conspiring to deploy ALF V/Black Cat ransomware against five organizations while in roles meant to help, not harm, victims.
Victims: Included health, pharmaceutical, engineering, and drone manufacturing firms.
Financial impact: Over $9.5 million in losses, with $1.3 million successfully extorted from a Florida medical company.
Sentence status: Guilt reduced potential maximum from 50 to 20 years; both to forfeit over $340,000; further reductions likely for cooperation.
- “The Justice Department says the pair abused positions of trust and specialized skills to carry out and conceal the attacks.” — David Shipley [08:56]
Technique: Used insider knowledge and an affiliate account with the ransomware group to maximize effectiveness.

4. Denmark Attributes Utility Hack to Russian State Actors

[09:31–11:25]

Incident: Denmark formally blames Russia for a 2024 cyberattack on a water utility that resulted in physical damage (altered pump pressure, burst pipes in Koge).
Attackers: Group Z Pen Test, linked directly to Russian state; linked to broader hybrid warfare alongside DDoS election attacks by Noname 057.
Assessment: Attacks seen as part of an orchestrated campaign to destabilize Western critical infrastructure in response to support for Ukraine.
- “Denmark’s defense minister called the attacks unacceptable and said that they demonstrate that hybrid warfare is not theoretical but actively underway in Europe.” — David Shipley [10:29]
Broader warning: Russian hacktivist groups are targeting water, energy, food, and agriculture systems across Europe and North America.
Vulnerability: Highlighted serious flaws in national resilience and prompted Denmark to raise its national cyber threat level for telecommunications.
Cross-border pattern: Reference to Canadian pipeline attacks underscores that these risks are growing, persistent, and global.

Notable Quotes & Memorable Moments

International Cooperation:
“The arrests were carried out by Nigeria’s police force National Cybercrime center, following intelligence shared by Microsoft through the FBI, underscoring the increasing international nature of cybercrime investigations.” (David Shipley, [00:46])
Phishing-as-a-Service:
“Investigators say the service was linked to at least 5,000 compromised Microsoft 365 accounts across 94 countries, enabling business, email compromise, data theft and financial fraud worldwide.” (David Shipley, [01:21])
ATM Malware and Terror Financing:
“Prosecutors allege those funds were funneled back to Trend Agua leadership to support broader criminal and terrorist activities.” (David Shipley, [06:10])
Betrayal of Trust:
“The Justice Department says the pair abused positions of trust and specialized skills to carry out and conceal the attacks.” (David Shipley, [08:56])
Hybrid Warfare Reality Check:
“Denmark’s defense minister called the attacks unacceptable and said that they demonstrate that hybrid warfare is not theoretical but actively underway in Europe.” (David Shipley, [10:29])

Important Timestamps

Microsoft 365 Phishing Arrests: [00:21–03:40]
ATM Jackpotting/Terrorist Financing: [03:41–06:50]
Incident Responders Turned Ransomware Attackers: [06:51–09:30]
Denmark Utility Hack Attributed to Russia: [09:31–11:25]
Closing Remarks and Year-End Thanks: [11:26–12:18]

Final Remark

David Shipley closes the episode with gratitude to co-host Jim and the audience, a festive cybersecurity-themed jingle, and a call to heightened vigilance for the coming year—echoing the urgent, personal, and pragmatic tone that makes Cybersecurity Today a trusted guide for business leaders and IT professionals alike.

For further details and full context, listen to the full episode of Cybersecurity Today: Arrests In O365 Scheme, Dec 22, 2025.

Podcast Summary: Cybersecurity Today — Arrests In O365 Scheme With David Shipley

Host: David Shipley
Episode Date: December 22, 2025

Overview

Key Discussion Points & Insights

1. Nigerian Microsoft 365 Phishing Platform Bust

[00:21–03:40]

Three suspects arrested: Nigerian National Cybercrime Centre, acting on intelligence shared by Microsoft and the FBI, arrested three individuals tied to “Raccoon O365,” a phishing-as-a-service toolkit.
Raccoon O365 details:
- Automated the creation of fake Microsoft login pages.
- At least 5,000 compromised Microsoft 365 accounts across 94 countries.
- Used for widespread business email compromise, data theft, and fraud.
Key suspect: Okatipi Samuel, who used aliases “Raccoon0365” and “Moses Felix,” is believed to have created and operated the platform, marketing it via a Telegram group with over 800 members.
Subscription model: Access sold for $350 a month or $1,000 for three months, with payments typically in cryptocurrency.
Law enforcement collaboration: Raccoon O365’s infrastructure was disrupted in September by Microsoft and Cloudflare.
- “The arrests were carried out by Nigeria’s police force National Cybercrime center, following intelligence shared by Microsoft through the FBI, underscoring the increasing international nature of cybercrime investigations.” — David Shipley [00:46]
Missing figure: Notably, Joshua Ogundbip, previously identified as a leader, was not mentioned among those arrested.

2. ATM Jackpotting Scheme Linked to Terrorism

[03:41–06:50]

Scale of the scheme: U.S. prosecutors charged 54 individuals with running a multi-year ATM malware scam using the “Plotus” malware.
Operation details:
- Physical installation of malware onto ATMs to force machine payout (“jackpotting”).
- Losses exceeded $40 million in more than 1,500 incidents since 2021.
Criminal organization: Linked to “Trend Agua,” a Venezuelan group designated as a foreign terrorist organization by the U.S. State Department.
Sophisticated approach:
- Recruited individuals to scout and test ATM security before deploying malware.
- Plotus could be launched via removable devices or hard drive swaps.
- Designed to erase forensic evidence.
Money flow:
- “Prosecutors allege those funds were funneled back to Trend Agua leadership to support broader criminal and terrorist activities.” — David Shipley [06:10]
Severe consequences: Some defendants face up to three centuries in prison.

3. Insider Ransomware: Trusted Responders Turned Attackers

[06:51–09:30]

Who: Two incident response professionals, Ryan Clifford Goldberg (Signia) and Kevin Tyler Martin (Digital Mint).
What: Pleaded guilty to conspiring to deploy ALF V/Black Cat ransomware against five organizations while in roles meant to help, not harm, victims.
Victims: Included health, pharmaceutical, engineering, and drone manufacturing firms.
Financial impact: Over $9.5 million in losses, with $1.3 million successfully extorted from a Florida medical company.
Sentence status: Guilt reduced potential maximum from 50 to 20 years; both to forfeit over $340,000; further reductions likely for cooperation.
- “The Justice Department says the pair abused positions of trust and specialized skills to carry out and conceal the attacks.” — David Shipley [08:56]
Technique: Used insider knowledge and an affiliate account with the ransomware group to maximize effectiveness.

4. Denmark Attributes Utility Hack to Russian State Actors

[09:31–11:25]

Incident: Denmark formally blames Russia for a 2024 cyberattack on a water utility that resulted in physical damage (altered pump pressure, burst pipes in Koge).
Attackers: Group Z Pen Test, linked directly to Russian state; linked to broader hybrid warfare alongside DDoS election attacks by Noname 057.
Assessment: Attacks seen as part of an orchestrated campaign to destabilize Western critical infrastructure in response to support for Ukraine.
- “Denmark’s defense minister called the attacks unacceptable and said that they demonstrate that hybrid warfare is not theoretical but actively underway in Europe.” — David Shipley [10:29]
Broader warning: Russian hacktivist groups are targeting water, energy, food, and agriculture systems across Europe and North America.
Vulnerability: Highlighted serious flaws in national resilience and prompted Denmark to raise its national cyber threat level for telecommunications.
Cross-border pattern: Reference to Canadian pipeline attacks underscores that these risks are growing, persistent, and global.

Notable Quotes & Memorable Moments

International Cooperation:
“The arrests were carried out by Nigeria’s police force National Cybercrime center, following intelligence shared by Microsoft through the FBI, underscoring the increasing international nature of cybercrime investigations.” (David Shipley, [00:46])
Phishing-as-a-Service:
“Investigators say the service was linked to at least 5,000 compromised Microsoft 365 accounts across 94 countries, enabling business, email compromise, data theft and financial fraud worldwide.” (David Shipley, [01:21])
ATM Malware and Terror Financing:
“Prosecutors allege those funds were funneled back to Trend Agua leadership to support broader criminal and terrorist activities.” (David Shipley, [06:10])
Betrayal of Trust:
“The Justice Department says the pair abused positions of trust and specialized skills to carry out and conceal the attacks.” (David Shipley, [08:56])
Hybrid Warfare Reality Check:
“Denmark’s defense minister called the attacks unacceptable and said that they demonstrate that hybrid warfare is not theoretical but actively underway in Europe.” (David Shipley, [10:29])

Important Timestamps

Microsoft 365 Phishing Arrests: [00:21–03:40]
ATM Jackpotting/Terrorist Financing: [03:41–06:50]
Incident Responders Turned Ransomware Attackers: [06:51–09:30]
Denmark Utility Hack Attributed to Russia: [09:31–11:25]
Closing Remarks and Year-End Thanks: [11:26–12:18]

Final Remark

For further details and full context, listen to the full episode of Cybersecurity Today: Arrests In O365 Scheme, Dec 22, 2025.

wavePod

Arrests In 0365 Scheme: Cybersecurity Today With David Shipley

Powered by Wave AI

Summary

Podcast Summary: Cybersecurity Today — Arrests In O365 Scheme With David Shipley

Overview

Key Discussion Points & Insights

1. Nigerian Microsoft 365 Phishing Platform Bust

2. ATM Jackpotting Scheme Linked to Terrorism

3. Insider Ransomware: Trusted Responders Turned Attackers

4. Denmark Attributes Utility Hack to Russian State Actors

Notable Quotes & Memorable Moments

Important Timestamps

Final Remark

Summary

Podcast Summary: Cybersecurity Today — Arrests In O365 Scheme With David Shipley

Overview

Key Discussion Points & Insights

1. Nigerian Microsoft 365 Phishing Platform Bust

2. ATM Jackpotting Scheme Linked to Terrorism

3. Insider Ransomware: Trusted Responders Turned Attackers

4. Denmark Attributes Utility Hack to Russian State Actors

Notable Quotes & Memorable Moments

Important Timestamps

Final Remark