In a significant blow to cybercrime, Europol has led an international operation that dismantled Tycoon 2FA, a sophisticated phishing-as-a-service (PhaaS) platform responsible for over 64,000 attacks worldwide. This operation targeted a criminal network that enabled threat actors to bypass multi-factor authentication (MFA) and compromise accounts across various sectors.

Key Takeaways

• Tycoon 2FA, a phishing-as-a-service platform, has been dismantled by a global law enforcement coalition led by Europol.

• The platform facilitated over 64,000 large-scale phishing attacks, specializing in Adversary-in-the-Middle (AiTM) techniques to bypass MFA.

• It was used to target nearly 100,000 organizations globally, including critical sectors like education, healthcare, and finance.

• 330 malicious domains associated with the service have been taken down.

The Tycoon 2FA Operation

Tycoon 2FA emerged in 2023 and quickly evolved into one of the largest phishing operations globally. Operating on a subscription model, it was sold via messaging apps like Telegram and Signal, with prices starting at $120 for 10 days. The platform provided a web-based administration panel that allowed cybercriminals to configure, track, and refine their phishing campaigns. This panel offered pre-built templates, domain configuration, redirect logic, and victim tracking, enabling the harvesting of credentials, MFA codes, and session cookies.

Advanced Techniques and Global Impact

The service was particularly dangerous due to its ability to perform Adversary-in-the-Middle (AiTM) attacks, which allowed it to intercept both user credentials and session cookies in real-time. This meant that even after a password reset, attackers could maintain access to compromised accounts unless active sessions were explicitly revoked. Tycoon 2FA employed sophisticated evasion techniques, including heavy code obfuscation, browser fingerprinting, and rapidly rotating domain names (often lasting only 24-72 hours) to avoid detection.

Microsoft, tracking the operators as Storm-1747, reported that Tycoon 2FA became the most prolific platform they observed in 2025, blocking over 13 million malicious emails linked to the service in a single month. Globally, the platform accounted for approximately 62% of all phishing attempts blocked by Microsoft as of mid-2025. The U.S. experienced the largest concentration of identified victims, followed by the U.K., Canada, India, and France. Campaigns indiscriminately targeted sectors such as education, healthcare, finance, non-profit, and government organizations.

The Takedown and Future Implications

The coordinated effort, involving numerous law enforcement agencies and private sector partners like Intel 471 and Trend Micro, resulted in the seizure of over 330 domains that formed the backbone of the criminal service. While this operation has significantly disrupted Tycoon 2FA's operations, the advanced techniques pioneered by the platform are expected to persist and be adopted by other threat actors. Authorities are advising organizations to enhance their security measures, including adopting phishing-resistant MFA and strengthening session and device controls, to mitigate ongoing risks.

Sources

• Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks, The Hacker News.

• Inside the Takedown of a 64,000-Attack Phishing-as-a-Service Platform, Rescana.

• Europol's Major Operation Dismantles Tycoon 2FA Phishing-as-a-Service Network Linked to Over 64,000Cyberattacks, The420.in.