- Europol leads multinational operation against Tycoon 2FA
- The platform enabled large-scale phishing with MFA bypass
- Authorities dismantled basic infrastructure and seized estates
Tycoon 2FA, one of the world’s largest phishing-as-a-service (PhaaS) platforms, has been taken down after a coordinated global law enforcement operation.
The operation was led by Europol and included police forces from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom.
He successfully dismantled a phishing operation active since at least August 2023 and gave thousands of cybercriminals access to email and cloud service accounts.
Hundreds of domains deleted
During the operation, law enforcement took down 330 domains that made up the service’s “core infrastructure,” which included phishing portals and back-end control panels used by attackers to manage their campaigns.
A number of private organizations also helped, including Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud and Trend Micro.
Some researchers claim that the platform is very popular in the underground community. Apparently, between August 2023 (when it was first launched) and March 2024, the Bitcoin wallet linked to the operation raised over $400,000 worth of cryptos at the time.
Tycoon 2FA operated as an adversary in the middle (AiTM) attack, intercepting login information and session cookies to gain unauthorized access to user accounts, even those secured with MFA.
Europol claims that Tycoon 2FA generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations worldwide, including schools, hospitals and public institutions.
Over the years, it has been actively supported and received regular updates and upgrades. Its last major upgrade took place in April 2025, to enable better evasion of manual and static pattern matching analysis, bypass fingerprinting and tagging, and detect browser automation tools.
By mid-2025, Tycoon 2FA accounted for around two-thirds (62%) of all phishing attempts blocked by Microsoft, Europol noted.
The platform is sold on underground forums, with prices starting at $120 for 10 days of access, making it accessible to a wide range of cybercriminals.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
