Tycoon 2FA Phishing Network Dismantled By Global Taskforce

A phishing platform linked to nearly 62% of attacks blocked by Microsoft in 2025 has been dismantled. The takedown removes one of the most widely used phishing toolkits targeting online accounts and crypto platforms.

The operation, known as Tycoon 2FA, enabled criminals to bypass multi-factor authentication protections. Investigators say the toolkit generated tens of millions of phishing emails monthly and facilitated unauthorized access to nearly 100,000 organizations worldwide.

Coinbase said it helped trace blockchain transactions tied to the service, allowing authorities to identify the alleged administrator and several customers. The investigation involved cooperation with Europol and Microsoft, according to statements released Wednesday.

Authorities say Tycoon operated a subscription-based model. The toolkit intercepted live login sessions and captured authentication cookies, allowing attackers to access accounts without triggering additional security checks.

How Did Tycoon 2FA Bypass Multi-Factor Authentication?

According to Europol, the platform allowed attackers to hijack authenticated user sessions in real time. By capturing session cookies from victims who had already completed verification steps, the attackers could enter accounts as if they were the legitimate user.

Global phishing-as-a-service platform taken down in coordinated public-private action – Intelligence shared through Europol’s Cyber Intelligence Extension Programme leads to operational results | Europol

A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol. The service, known as Tycoon 2FA, provided cybercriminals with a subscription-based toolkit designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers.

EuropolEuropol

The scale of the campaign illustrates how phishing tactics continue to evolve. Even as crypto-related phishing losses dropped 83% in 2025 compared with the prior year, attackers have adopted more technical exploits targeting wallet permissions and signature approvals.

Security researchers say the threat remains significant. Data from CertiK identified phishing as the third most expensive attack vector in 2025 across the crypto sector.

Coinbase said the investigation is still active.

“We’re actively working to identify Tycoon purchasers and will continue supporting law enforcement efforts focused on the people who bought and used this service to target victims,” the company said.

But the takedown raises a broader question for digital security teams: how many similar phishing services remain active across the cybercrime ecosystem?

Law enforcement agencies say further arrests may follow as investigators analyze transaction trails linked to the service’s users, a process that could expand the crackdown on organized phishing networks in the months ahead.