B ∙ R ∙ A I ∙ N

A sprawling cybercrime platform that helped thousands of attackers bypass modern authentication protections has been disrupted in a coordinated global operation led by technology companies, cybersecurity researchers and law enforcement agencies.

The takedown targeted Tycoon 2FA, one of the most prolific phishing-as-a-service platforms in operation in recent years, and underscores how identity-based attacks have become a central battleground in modern cybersecurity.

As organizations move more operations into cloud platforms and rely on digital identities to manage access, phishing campaigns that compromise those identities can provide attackers with direct entry into critical systems.

Through a combination of legal action, infrastructure seizures and cross-border intelligence sharing, the coalition dismantled key parts of the service’s technical backbone and seized hundreds of domains used to support its campaigns.

The operation illustrates both the scale of the modern phishing economy and the increasingly coordinated efforts required to disrupt it.

At the center of the disruption effort was a partnership involving Microsoft, Europol, and a broad set of cybersecurity companies and nonprofit organizations.

The coalition included firms such as Trend Micro, Cloudflare, Intel471, Proofpoint, SpyCloud and Coinbase, along with intelligence sharing groups and law enforcement agencies from multiple European countries.

The combined effort targeted the infrastructure powering Tycoon 2FA’s operations, including the domains used to host phishing pages and administrative panels.

As part of the operation, investigators seized roughly 330 domains that formed the core of the service’s infrastructure. These domains hosted control panels used by cybercriminals as well as fake login pages designed to harvest credentials from victims.

The seizures were carried out under a court order in the United States and supported by coordinated enforcement actions in several European jurisdictions.

Tycoon 2FA had emerged as one of the most significant drivers of phishing activity worldwide since it appeared around 2023. The platform allowed criminals to conduct sophisticated attacks that could defeat multi-factor authentication, the security measure widely adopted by organizations to protect accounts beyond a simple password.

By mid-2025, the service was responsible for about 62 percent of the phishing attempts blocked by Microsoft’s systems, with some months seeing more than 30 million malicious emails sent through the infrastructure.

The impact was substantial. Researchers estimate that the service has been linked to roughly 96,000 victims globally, including tens of thousands of Microsoft customers whose accounts were targeted or compromised.

Healthcare organizations, schools and universities were among the hardest hit sectors, with phishing campaigns disrupting operations and exposing sensitive data.

The platform’s success lay in its design. Tycoon 2FA operated as an adversary-in-the-middle phishing system, a technique that intercepts communication between a victim and a legitimate service during the login process.

When a user entered their credentials and responded to authentication prompts, the system relayed that information in real time to the actual service while simultaneously capturing passwords, authentication codes and session cookies.

Those stolen session tokens allowed attackers to log in to accounts even if the password was later changed, unless all active sessions were revoked. This approach effectively undermined traditional multi-factor authentication protections, which were designed to stop attackers who only possess a password.

By capturing authentication tokens generated during a valid login session, the Tycoon 2FA infrastructure allowed attackers to assume the identity of legitimate users and move through systems without triggering many security alerts.

The service also lowered the barrier to entry for cybercrime. Tycoon 2FA operated as a subscription-based phishing-as-a-service platform, meaning criminals could rent access to the toolkit without needing deep technical skills.

The system provided prebuilt phishing templates that mimicked widely used services such as Microsoft 365 and Google Workspace, along with hosting infrastructure and dashboards for managing campaigns and viewing stolen credentials.

This model reflects a broader trend in the cybercrime ecosystem where specialized services are sold or leased in underground markets to enable large-scale attacks.

Instead of building tools themselves, attackers can purchase ready-made capabilities including phishing kits, malware distribution services, hosting infrastructure and stolen credentials. The result is an interconnected economy that functions much like a legitimate technology supply chain.

Investigators said Tycoon 2FA fit squarely within that ecosystem. The service was reportedly marketed and managed through encrypted messaging platforms such as Telegram and supported by partners responsible for payments, marketing and technical support.

Other illicit services handled mass email distribution or provided the servers used to host phishing infrastructure, allowing the entire operation to scale quickly. Trend Micro researchers who tracked the platform say its infrastructure included thousands of domains and supported a global network of operators.

The service generated enormous volumes of phishing traffic, delivering campaigns targeting enterprises, governments and individuals across multiple continents.

Analysis of victim data also illustrates the breadth of the threat. Intelligence gathered from exposed Tycoon 2FA panels revealed hundreds of thousands of captured credentials and authentication records.

Most of the compromised accounts were tied to corporate email domains rather than free consumer email providers, underscoring the platform’s focus on enterprise environments where access to a single account can open pathways into larger organizational systems.

For attackers, those compromised accounts often served as the starting point for broader intrusions.

Once inside an organization’s email or cloud collaboration environment, criminals could conduct business email compromise scams, steal sensitive data, or use the account to launch additional phishing campaigns targeting colleagues and partners. In some cases, access obtained through phishing operations later facilitated ransomware deployments.

The takedown effort also demonstrates how technology companies increasingly use civil litigation alongside traditional law enforcement methods to disrupt cybercrime infrastructure.

In this case, Microsoft’s Digital Crimes Unit filed a civil complaint in federal court to obtain legal authority to seize domains associated with the platform. The action was supported by threat intelligence gathered by private security companies and shared with international law enforcement agencies.

Europol played a central coordinating role through its Cyber Intelligence Extension Program, which is designed to move beyond intelligence sharing toward direct operational collaboration between governments and the private sector.

Authorities in countries including Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom participated in enforcement actions connected to the case.

Cybersecurity researchers emphasize that while such operations can significantly disrupt cybercrime infrastructure, they rarely eliminate it entirely. Platforms like Tycoon 2FA are part of a broader ecosystem in which new tools quickly emerge to replace those that are shut down.

Nonetheless, investigators say the dismantling of widely used services can have cascading effects by forcing attackers to rebuild infrastructure and raising the cost and complexity of their operations.