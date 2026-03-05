Europol leads multinational operation against Tycoon 2FA

Platform enabled large-scale phishing with MFA bypass

Authorities dismantled core infrastructure and seized domains

Tycoon 2FA, one of the largest phishing-as-a-service (PhaaS) platforms in the world, has been taken down after a global coordinated law enforcement operation.

The operation was led by Europol, and included police forces from Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.

It successfully dismantled a phishing operation that was active since at least August 2023, and enabled thousands of cybercriminals to access email and cloud-based service accounts.

Hundreds of domains taken down

In the operation, law enforcement took down 330 domains that formed “the core infrastructure” of the service, which included phishing portals and backend control panels used by attackers to manage campaigns.

A number of private organizations helped, as well, including Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud, and Trend Micro.

Some researchers claim the platform is very popular in the underground community. Apparently, between August 2023 (when it first launched) and March 2024, the Bitcoin wallet linked to the operation raked in more than $400,000 worth of cryptos at the time.

Tycoon 2FA operated as an adversary-in-the-middle (AiTM) attack, intercepting login credentials and session cookies to gain unauthorized access to user accounts, even those secured with MFA.

Europol says Tycoon 2FA generated tens of millions of phishing emails each month, and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions.

Throughout the years, it has been actively supported, and has been receiving updates and upgrades regularly. Its last major upgrade was in April 2025, to allow for better evasion of manual and static pattern-matching analysis, bypass fingerprinting and flagging, and for detecting browser automation tools.

By mid-2025, Tycoon 2FA accounted for roughly two-thirds (62%) of all phishing attempts blocked by Microsoft, Europol stressed.

The platform is sold on underground forums, with prices starting at $120 for 10 days of access, making it accessible to a wide range of cybercriminals.

