- Europol leads multinational operation against Tycoon 2FA
- The platform enabled large-scale phishing with MFA bypass
- The authorities dismantled core infrastructure and seized domains
Tycoon 2FA, one of the largest phishing-as-a-service (PhaaS) platforms in the world, has been taken down following a global coordinated law enforcement operation.
The operation was led by Europol and involved police forces from Latvia, Lithuania, Portugal, Poland, Spain and the UK.
It successfully dismantled a phishing operation that was active since at least August 2023 and allowed thousands of cybercriminals to gain access to email and cloud-based service accounts.
Hundreds of domains taken down
In the operation, law enforcement took down 330 domains that made up the “core infrastructure” of the service, which included phishing portals and backend control panels used by attackers to manage campaigns.
A number of private organizations also helped, including Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud and Trend Micro.
Some researchers claim that the platform is very popular in the underground community. Apparently, between August 2023 (when it first launched) and March 2024, the Bitcoin wallet linked to the operation cashed in more than $400,000 in cryptos at that time.
Acting as an adversary-in-the-middle (AiTM) attack, Tycoon 2FA intercepted login credentials and session cookies to gain unauthorized access to user accounts, even those secured with MFA.
Europol says Tycoon 2FA generated tens of thousands of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals and public institutions.
Over the years it has been actively supported and has received updates and upgrades regularly. Its last major upgrade was in April 2025, to enable better bypassing of manual and static pattern-matching analysis, to bypass fingerprinting and tagging, and to detect browser automation tools.
By mid-2025, Tycoon 2FA accounted for around two-thirds (62%) of all phishing attempts blocked by Microsoft, Europol stressed.
The platform is sold on underground forums, with prices starting at $120 for 10 days of access, making it accessible to a wide range of cybercriminals.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
