- Europol leads multinational operation against Tycoon 2FA
- Platform Enabled Large-Scale MFA Bypass Phishing
- Authorities dismantled central infrastructure and confiscated domains
Tycoon 2FA, one of the world’s largest phishing platforms as a service (PhaaS), has been taken down after a globally coordinated law enforcement operation.
The operation was led by Europol and included police forces from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom.
Successfully dismantled a phishing operation that was active since at least August 2023 and allowed thousands of cybercriminals to access email and cloud-based service accounts.
Hundreds of domains removed
In the operation, law enforcement took down 330 domains that formed “the core infrastructure” of the service, which included phishing portals and backend control panels used by attackers to manage campaigns.
Several private organizations also helped, including Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud, and Trend Micro.
Some researchers claim that the platform is very popular in the underground community. Apparently, between August 2023 (when it was first launched) and March 2024, the Bitcoin wallet linked to the operation raised more than $400,000 in cryptocurrency at that time.
Tycoon 2FA operated as an adversary-in-the-middle (AiTM) attack, intercepting login credentials and session cookies to gain unauthorized access to user accounts, even those protected with MFA.
Europol says Tycoon 2FA generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations worldwide, including schools, hospitals and public institutions.
Over the years, it has been actively supported and has received regular updates and improvements. Its last major update was in April 2025, to enable better evasion of manual and static pattern matching analysis, avoidance of fingerprints and marks, and detection of browser automation tools.
By mid-2025, Tycoon 2FA accounted for approximately two-thirds (62%) of all phishing attempts blocked by Microsoft, Europol highlighted.
The platform is sold on underground forums, with prices starting at $120 for 10 days of access, making it accessible to a wide range of cybercriminals.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
