An international operation coordinated between law enforcement agencies and technology companies has dismantled Tycoon 2FA, one of the most widely used phishing-as-a-service (PhaaS) platforms for compromising accounts protected with multi-factor authentication (MFA). 

This action marks a milestone in the fight against cybercrime and demonstrates the impact of public-private collaboration on a global scale.

What was Tycoon 2FA and why did it pose a threat?

Tycoon 2FA was a criminal service that offered ready-to-use tools with which cybercriminals could launch advanced phishing campaigns, even without in-depth technical knowledge.

Its main objective was to intercept credentials and authentication tokens in real time, allowing attackers to access legitimate accounts even when they were protected with MFA. 

The system used “adversary-in-the-middle” (AiTM) techniques: fake login pages acted as intermediaries between the victim and the legitimate service.

In this way, when the user entered their credentials and completed the authentication process, the attacker captured both the password and the session token needed to log in without raising suspicion.

Since its emergence in 2023, Tycoon 2FA became one of the most significant drivers of online phishing fraud.

According to Microsoft data, it was linked to tens of millions of phishing emails per month, affecting more than 500,000 organizations worldwide.

A criminal ecosystem based on “services”

Tycoon 2FA's popularity stemmed from its business model. It operated as a subscription-based platform that offered criminals:

• Web dashboards for managing phishing campaigns
• Realistic login page templates
• Automatic capture of credentials and session cookies
• Infrastructure prepared to launch large-scale attacks

This model significantly lowered the barrier to entry for cybercrime, allowing inexperienced actors to execute sophisticated attacks against services like Microsoft 365 or Google Workspace.

As a result, thousands of attackers were able to compromise corporate accounts, facilitating subsequent attacks such as Business Email Compromise (BEC), data theft, or financial fraud.

The international operation that dismantled it

The takedown of Tycoon 2FA was the result of months of joint investigation between public agencies and private companies. 

The investigation began when security researchers identified the service's infrastructure and shared the information with international law enforcement agencies. 

The operation was led by Microsoft and coordinated with Europol, along with law enforcement agencies from several countries—including Spain, the United Kingdom, Portugal, Poland, Latvia, and Lithuania—and multiple cybersecurity companies.
 

Key actions of the operation included:

• Seizure of more than 330 domains used by the platform for its control panels and phishing pages.
• Disabling the technical infrastructure that enabled the service to operate.
• Coordination with technology providers to block servers and services used by the attackers.
• Sharing intelligence with Computer Security Incident Response Teams (CSIRTs) worldwide.

The objective was to disrupt the cybercrime value chain by cutting off access to the infrastructure and making it difficult for operators and their clients to continue phishing campaigns.

The Global Impact of Tycoon 2FA
The reach of this platform illustrates the scale that criminal services on the internet have reached. 

It is estimated that Tycoon 2FA was linked to nearly 100,000 identified victims since 2023 and to a large number of phishing campaigns specifically targeting business, healthcare, and educational organizations.

Furthermore, subsequent investigations have identified hundreds of thousands of records of credentials and login data obtained through the platform, demonstrating the magnitude of its impact on businesses and public bodies.

A reminder for digital security: The dismantling of Tycoon 2FA highlights both the sophistication of current cybercrime and the need for international cooperation to combat it.

It also underscores that traditional multi-factor authentication can be vulnerable to advanced phishing attacks, especially if phishing-resistant methods such as security keys or hardware-based authentication are not used.

Although operations like this manage to disrupt criminal infrastructures, experts warn that the criminal ecosystem tends to adapt quickly.

Therefore, the combination of shared intelligence, legal action, and continuous improvements to digital defenses will remain essential.