A major phishing-as-a-service (PhaaS) platform used to bypass multi-factor authentication and compromise online accounts has been disrupted following a coordinated international law enforcement operation supported by Europol.
The action targeted Tycoon2FA, a subscription-based toolkit widely used by cybercriminals to intercept authentication sessions and hijack accounts.
As part of the disruption, authorities and industry partners seized or disabled 330 domains that formed the backbone of the Tycoon2FA infrastructure, including phishing portals and backend control panels used by attackers to manage campaigns.
The technical disruption was led by Microsoft, working alongside a coalition of industry partners, including Cloudflare, Coinbase, Proofpoint, Intel471, the Shadowserver Foundation, SpyCloud, and Trend Micro. Meanwhile, law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom carried out seizures of infrastructure and other operational measures within their jurisdictions.
Large-scale phishing operation
Active since at least August 2023, Tycoon2FA evolved into one of the most significant phishing platforms operating on the internet. The service provided attackers with a ready-made toolkit designed to intercept login sessions in real time, enabling them to bypass multi-factor authentication (MFA) protections and gain access to victim accounts.
According to Europol, the platform was used to conduct phishing campaigns that generated tens of millions of emails each month, targeting organizations worldwide. The attacks enabled unauthorized access to accounts across nearly 100,000 organizations, including schools, hospitals, and government institutions.
Telemetry shows that by mid-2025, Tycoon2FA infrastructure accounted for approximately 62% of all phishing attempts blocked by Microsoft systems, underscoring the platform’s dominance in the phishing ecosystem.
The platform operated under a phishing-as-a-service model, allowing cybercriminals with limited technical skills to subscribe to the toolkit and launch large-scale campaigns. The kits typically implemented adversary-in-the-middle (AiTM) techniques that capture credentials and session cookies during authentication, allowing attackers to hijack accounts even when MFA is enabled.
Security researchers and Microsoft threat intelligence teams have previously linked Tycoon2FA to numerous phishing campaigns targeting enterprise environments.
The investigation that ultimately led to the takedown began after Trend Micro shared intelligence about the platform with Europol. The information was disseminated through Europol’s cybercrime operational networks and advisory groups, allowing investigators and industry partners to coordinate a disruption strategy.
Despite the disruption, Europol warns that phishing-as-a-service platforms remain a persistent threat because similar kits can quickly emerge to replace dismantled infrastructure.
Leave a Reply