Egyptian Public Prosecution building.
According to an official statement, the prosecution accused the defendants of running a transnational criminal enterprise through two online platforms, “ONNX Store” and “Caffeine,” which allegedly provided phishing-as-a-service (PhaaS) tools to customers in exchange for cryptocurrency payments.
The defendants had already been convicted by the Mansoura Economic Court on related charges in February 2026, receiving prison sentences of two to three years and fines totaling over EGP 1.5 million.
Judges also ordered the confiscation of cryptocurrency and electronic devices tied to the operation. The syndicate is additionally facing criminal money-laundering prosecution related to proceeds from its illicit activities.
Investigators said the gang used these platforms to build and deploy around 240 fraudulent websites for large-scale phishing campaigns that illegally captured digital credentials and data, particularly from Microsoft Office 365 systems, causing significant financial losses and disrupting information networks.
The case has drawn global cybersecurity attention after Microsoft’s Digital Crimes Unit (DCU) publicly identified an Egypt-linked phishing operation associated with the alias “MRxC0DER” and linked to branded phishing-kit storefronts, including ONNX, which ranked among the top five phishing kit providers by email volume worldwide in November 2024.
International cybersecurity experts said these platforms allowed criminal customers to launch phishing campaigns, including QR code-based credential theft via messaging channels like Telegram, targeting Microsoft 365 and Office 365 logins used by financial firms and other organizations.
Prosecutors said the investigation began after receiving forensic cybersecurity evidence and involved digital fingerprint tracking and open-source intelligence, including links to a US criminal case in Virginia that helped confirm identities and strengthen the evidence.
Investigators referenced a civil lawsuit filed in November 2024 by Microsoft in the US District Court for the Eastern District of Virginia, which targeted the digital infrastructure of the main defendant operating under a pseudonymous online identity.
The court order enabled the seizure and redirection of hundreds of malicious domains used in phishing campaigns targeting Microsoft Office 365 users worldwide, reinforcing the connection between the defendants’ digital identities and their real-world activities, according to the Egyptian prosecution.
The Public Prosecutor’s office said it remains committed to combating cybercrime, protecting economic and information security, and pursuing perpetrators and their tools through technical and legal measures in cooperation with domestic and international partners.
Short link: