Summary5 min read

Podcast Summary: Cybersecurity Today — Arrests In O365 Scheme With David Shipley

Host: David Shipley
Episode Date: December 22, 2025

Overview

In this episode of Cybersecurity Today, David Shipley explores four major cybersecurity developments with global impact: a crackdown on a Nigerian Microsoft 365 phishing platform, a massive ATM jackpotting scheme linked to terrorist financing, a shocking case of insider ransomware attacks, and Denmark’s formal attribution of a destructive cyberattack on its water utilities to Russian state-linked actors. Shipley breaks down the international coordination behind cybercrime enforcement and the emerging threats businesses must monitor, all flavored with his journalistic insight and urgent, no-nonsense delivery.

Key Discussion Points & Insights

1. Nigerian Microsoft 365 Phishing Platform Bust

[00:21–03:40]

Three suspects arrested: Nigerian National Cybercrime Centre, acting on intelligence shared by Microsoft and the FBI, arrested three individuals tied to “Raccoon O365,” a phishing-as-a-service toolkit.
Raccoon O365 details:
- Automated the creation of fake Microsoft login pages.
- At least 5,000 compromised Microsoft 365 accounts across 94 countries.
- Used for widespread business email compromise, data theft, and fraud.
Key suspect: Okatipi Samuel, who used aliases “Raccoon0365” and “Moses Felix,” is believed to have created and operated the platform, marketing it via a Telegram group with over 800 members.
Subscription model: Access sold for $350 a month or $1,000 for three months, with payments typically in cryptocurrency.
Law enforcement collaboration: Raccoon O365’s infrastructure was disrupted in September by Microsoft and Cloudflare.
- “The arrests were carried out by Nigeria’s police force National Cybercrime center, following intelligence shared by Microsoft through the FBI, underscoring the increasing international nature of cybercrime investigations.” — David Shipley [00:46]
Missing figure: Notably, Joshua Ogundbip, previously identified as a leader, was not mentioned among those arrested.

2. ATM Jackpotting Scheme Linked to Terrorism

[03:41–06:50]

Scale of the scheme: U.S. prosecutors charged 54 individuals with running a multi-year ATM malware scam using the “Plotus” malware.
Operation details:
- Physical installation of malware onto ATMs to force machine payout (“jackpotting”).
- Losses exceeded $40 million in more than 1,500 incidents since 2021.
Criminal organization: Linked to “Trend Agua,” a Venezuelan group designated as a foreign terrorist organization by the U.S. State Department.
Sophisticated approach:
- Recruited individuals to scout and test ATM security before deploying malware.
- Plotus could be launched via removable devices or hard drive swaps.
- Designed to erase forensic evidence.
Money flow:
- “Prosecutors allege those funds were funneled back to Trend Agua leadership to support broader criminal and terrorist activities.” — David Shipley [06:10]
Severe consequences: Some defendants face up to three centuries in prison.

3. Insider Ransomware: Trusted Responders Turned Attackers

[06:51–09:30]

Who: Two incident response professionals, Ryan Clifford Goldberg (Signia) and Kevin Tyler Martin (Digital Mint).
What: Pleaded guilty to conspiring to deploy ALF V/Black Cat ransomware against five organizations while in roles meant to help, not harm, victims.
Victims: Included health, pharmaceutical, engineering, and drone manufacturing firms.
Financial impact: Over $9.5 million in losses, with $1.3 million successfully extorted from a Florida medical company.
Sentence status: Guilt reduced potential maximum from 50 to 20 years; both to forfeit over $340,000; further reductions likely for cooperation.
- “The Justice Department says the pair abused positions of trust and specialized skills to carry out and conceal the attacks.” — David Shipley [08:56]
Technique: Used insider knowledge and an affiliate account with the ransomware group to maximize effectiveness.

4. Denmark Attributes Utility Hack to Russian State Actors

[09:31–11:25]

Incident: Denmark formally blames Russia for a 2024 cyberattack on a water utility that resulted in physical damage (altered pump pressure, burst pipes in Koge).
Attackers: Group Z Pen Test, linked directly to Russian state; linked to broader hybrid warfare alongside DDoS election attacks by Noname 057.
Assessment: Attacks seen as part of an orchestrated campaign to destabilize Western critical infrastructure in response to support for Ukraine.
- “Denmark’s defense minister called the attacks unacceptable and said that they demonstrate that hybrid warfare is not theoretical but actively underway in Europe.” — David Shipley [10:29]
Broader warning: Russian hacktivist groups are targeting water, energy, food, and agriculture systems across Europe and North America.
Vulnerability: Highlighted serious flaws in national resilience and prompted Denmark to raise its national cyber threat level for telecommunications.
Cross-border pattern: Reference to Canadian pipeline attacks underscores that these risks are growing, persistent, and global.

Notable Quotes & Memorable Moments

International Cooperation:
“The arrests were carried out by Nigeria’s police force National Cybercrime center, following intelligence shared by Microsoft through the FBI, underscoring the increasing international nature of cybercrime investigations.” (David Shipley, [00:46])
Phishing-as-a-Service:
“Investigators say the service was linked to at least 5,000 compromised Microsoft 365 accounts across 94 countries, enabling business, email compromise, data theft and financial fraud worldwide.” (David Shipley, [01:21])
ATM Malware and Terror Financing:
“Prosecutors allege those funds were funneled back to Trend Agua leadership to support broader criminal and terrorist activities.” (David Shipley, [06:10])
Betrayal of Trust:
“The Justice Department says the pair abused positions of trust and specialized skills to carry out and conceal the attacks.” (David Shipley, [08:56])
Hybrid Warfare Reality Check:
“Denmark’s defense minister called the attacks unacceptable and said that they demonstrate that hybrid warfare is not theoretical but actively underway in Europe.” (David Shipley, [10:29])

Important Timestamps

Microsoft 365 Phishing Arrests: [00:21–03:40]
ATM Jackpotting/Terrorist Financing: [03:41–06:50]
Incident Responders Turned Ransomware Attackers: [06:51–09:30]
Denmark Utility Hack Attributed to Russia: [09:31–11:25]
Closing Remarks and Year-End Thanks: [11:26–12:18]

Final Remark

David Shipley closes the episode with gratitude to co-host Jim and the audience, a festive cybersecurity-themed jingle, and a call to heightened vigilance for the coming year—echoing the urgent, personal, and pragmatic tone that makes Cybersecurity Today a trusted guide for business leaders and IT professionals alike.

For further details and full context, listen to the full episode of Cybersecurity Today: Arrests In O365 Scheme, Dec 22, 2025.

Loading summary

Transcript3 lines

[00:00]
A
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack with wired, wireless and cellular all in one integrated solution that's built for performance and scale. You can find them at meter.com CST.
[00:20]
B
Nigerian police arrest suspects tied to a global Microsoft 365 phishing platform US prosecutors charge 54 in an ATM malware scheme linked to a terrorist group, two incident responders plead guilty to launching ransomware attacks from the inside, and Denmark blames Russia for a destructive cyber attack on a water utility. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. Nigerian Authorities have arrested three individuals linked to a large scale Microsoft 365 phishing operation tied to a platform known as Raccoon O365, according to reporting from Bleeping Computer. The arrests were carried out by Nigeria's police force National Cybercrime center, following intelligence shared by Microsoft through the FBI, underscoring the increasing international nature of cybercrime investigations. Raccoon O365 was a phishing toolkit designed to automate the creation of fake Microsoft login pages, allowing attackers to steal credentials at scale. Investigators say the service was linked to at least 5,000 compromised Microsoft 365 accounts across 94 countries, enabling business, email compromise, data theft and financial fraud worldwide. One of those arrested, identified as Okatipi Samuel, allegedly operated online under the names Raccoon0365 and Moses Felix. Nigerian police believe he developed and ran the phishing platform, selling access to other cybercriminals through a Telegram channel with more than 800 members. Subscription fees reportedly range from roughly $350 a month to to also a discounted version available for $1,000 for three months, typically paid in cryptocurrency. Microsoft and Cloudflare disrupted Raccoon O365 infrastructure in September, taking down phishing pages hosted through Cloudflare accounts that investigators say were registered using compromised credentials. It's not yet clear whether the takedown directly led to the arrests. Police say forensic analysis of seized laptops and mobile devices linked them to the phishing scheme. However, authorities note that the other two individuals arrested have not yet been directly tied to the platform's development or operation. Notably absent from the announcement is Joshua Ogundbip, a figure previously identified by Microsoft as a leader associated with the service. Microsoft had not commented publicly on the arrests. As of the reporting, the U.S. department of justice has charged 54 individuals in connection with a large scale ATM jackpotting operation that used malware to force cash machines to dispense money on demand, according to reporting by the Hacker News. The scheme relied on malware known as Plotus, which was physically installed on ATMs across the United States. Prosecutors say the operation generated tens of millions of dollars in losses and was tied to Trend Agua, a Venezuelan criminal organization designated by the US State Department as a foreign terrorist organization. The Justice Department says one indictment returned on December 9, charges 22 people with crimes including bank fraud, burglary and money laundering. A second related indictment, from October charges another 32 individuals with conspiracy, computer fraud and damage to protected computers. If convicted, some defendants could face sentences ranging from 20 years to more than three centuries in prison. Investigators allege the group recruited individuals to travel nationwide, scout ATM locations and test security controls before attempting to install the malware. Once access was gained, Plotus could be deployed by swapping the ATMs hard drive or inserting a removable device. The malware then issued unauthorized commands to the cash dispensing module, forcing the machines to release currency, the Justice Department says. Plotus was also designed to erase evidence of its presence, complicating forensic analysis by banks and credit unions. Proceeds were then split among members, according to prearranged rules. Authorities estimate more than 1500 jackpotting incidents in the US since 2021, with losses exceeding $40 million as of August 2025. Prosecutors allege those funds were funneled back to Trent Agua leadership to support broader criminal and terrorist activities. Two former incident responders have pleaded guilty to carrying out ransomware attacks in 2023 while they were employed at companies responsible for helping victims respond to those same kinds of attacks. According to reporting by cyberscoop, Ryan Clifford Goldberg and Kevin Tyler Martin admitted in federal court that they participated in a ransomware extortion spree targeting five organizations over a six month period. @ the time, Goldberg was a manager of incident response at Signia and Martin worked as a ransomware negotiator at Digital Mint. Prosecutors say the pair collaborated with an unnamed co conspirator to deploy ALF V, also known as Black Cat, ransomware against victim networks. Federal court records show that total losses from the attacks exceeded $9.5 million. The victims included a Florida based medical company, a Maryland pharmaceutical firm, a California doctor's office, an engineering company in California and a Virginia based drone manufacturer. Prosecutors say the group successfully extorted nearly $1.3 million from the medical company in May of 2023, though attempts against the other victims did not result in payment. Goldberg and Martin were arrested in the fall and pleaded guilty less than three months after being indicted in the Southern District of Florida. Each pled guilty to one count of conspiracy to interfere with interstate commerce by extortion, reducing their potential maximum sentence from 50 years to 20 years in prison. Both men have agreed to forfeit more than $340,000 each, with the court also able to impose fines and additional restitution. Prosecutors say they will recommend reduced sentences if the defendants continue to cooperate. The Justice Department says the pair abused positions of trust and specialized skills to carry out and conceal the attacks. Investigators allege the unnamed co conspirator obtained an affiliate account with the Alfie ransomware operation, which the group used in the attacks. Alfv, or Black Cat, was one of the most active ransomware groups in recent years before ceasing operations in early 2024. Denmark has formally blamed Russia for a destructive cyber attack on a water utility in 2024, calling it part of Moscow's broader hybrid campaign targeting Western critical infrastructure. According to reporting by Security Affairs. Denmark's Defense Intelligence Service has attributed the attack to the pro Russia group Z Pen Test, assessing that the group had direct connections to the Russian state. Danish officials say the incident went far beyond disruption and actually caused physical damage, including an event in the town of Koge, where attackers altered pump pressure leading to burst pipes. The intelligence service also linked election related distributed denial of service attacks to another Pro Russia group, Noname 057, which targeted Danish websites ahead of municipal and regional elections. Officials say both groups are used by Russia as proxies in what Denmark describes as hybrid warfare operations intended to create insecurity, erode trust and punish countries supporting Ukraine while staying below the threshold of open conflict. Denmark's defense minister called the attacks unacceptable and said that they demonstrate that hybrid warfare is not theoretical but actively underway in Europe. Danish authorities warn that while recent cyber and drone incidents have caused limited damage, they expose serious weaknesses in national resilience. Earlier this year, Denmark raised the cyber espionage threat level for its telecommunications sector from medium to high, citing increased nation state activity across Europe. The assessment warns that state linked actors possess deep technical knowledge of telecom and operational technology systems, enabling cyber espionage and potentially physical disruption. The announcement follows broader international warnings from US And European agencies that pro Russian hacktivist groups are actively targeting critical infrastructure worldwide, particularly water, energy, food and agricultural systems. The announcement also follows activity noted in Canada, where a Russian hacktivist group actively attacked a Canadian pipeline and attempted to cause a physical event, according to leaked US Intelligence. Denmark says the attacks underscore the growing risk to civilian infrastructure as cyber operations become increasingly a tool of geopolitical conflict. I've been your host, David Shipley. Thanks so much for listening today. And as we end the year, a special thank you to my friend Jim for the chance to co host this year and indulge my inner journalist. It's been so much fun and I've really appreciated the chance to bring you all cyber news on Mondays and participate in the panel discussions monthly. I want to take a moment to wish you and yours the happiest of holidays. Happy Hanukkah, Merry Christmas, and a joyous New Year to all. And now for a bit of holiday fun. Jingle Bells the Sock Edition. Jingle Bells Fishing smells in bucks all the way. One wrong click at 2am and now it's a breach today. Hey, robust MFA patch on time. Train folks on what to do. Oh what fun it is to keep your holidays breach free. Thanks so much everyone. Have a wonderful week. We'll see you all in the new.
[12:18]
A
Year. We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys, and manages everything required to get performant, reliable and secure connectivity. They design the hardware, the firmware, build the software, manage deployments, and run support. It's a single integrated solution that scales from branch offices to warehouses and large campuses to data centers. Book a demo at meter.com/cst that's M E T E R.com.