A large-scale phishing service that helped criminals bypass multi-factor authentication and break into thousands of organizations worldwide has been shut down in a coordinated international operation supported by Europol.
In a statement, the agency said the coordinated operation brought together law enforcement authorities from six countries and a range of major industry partners, including Microsoft, Coinbase, Cloudflare, and Proofpoint, among others, to take down the Tycoon 2FA platform.
Subscription Service for MFA Bypass Taken Offline
Tycoon 2FA operated as a subscription-based “phishing-as-a-service” business, with its operators selling customers ready-made tools that could intercept live authentication sessions and allow attackers to log into email and cloud services even when accounts were protected by multi-factor authentication.
As part of the takedown, authorities seized and disrupted 330 domains that formed the backbone of the service, hosting phishing pages and control panels used to manage stolen credentials and live sessions.
The technical disruption was led by Microsoft and backed by a coalition of private-sector partners, while law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom carried out domain seizures and other operational measures on the ground under Europol’s coordination.
Platform Affected Nearly 100,000 Organizations
Investigators say Tycoon 2FA, active since at least August 2023, allowed thousands of cybercriminals to break into email and cloud accounts at scale.
Every month, the platform spewed tens of millions of phishing emails, giving attackers a way into nearly 100,000 organizations worldwide, from hospitals and schools to public-sector bodies. By mid-2025, Microsoft said Tycoon 2FA was behind roughly 62% of the phishing attempts its systems stopped, highlighting just how dominant the service had become.
Tech Firms, Crypto Platforms and Police Align Against Tycoon 2FA
The investigation began when cybersecurity company Trend Micro shared intelligence about the platform with Europol. That information was circulated through Europol’s European Cybercrime Center advisory networks, allowing an operational strategy to be drawn up and additional industry partners to be brought into the case.
Through Europol’s Cyber Intelligence Extension Program, Microsoft and Trend Micro worked directly with law enforcement to analyze infrastructure, identify key domains, and develop technical methods to disrupt the service.
On the law enforcement side, the operation involved the State Police of Latvia, Spain’s National Police, and the United Kingdom’s National Crime Agency, along with other agencies, while private-sector support came from Microsoft, Coinbase, and Cloudflare, as well as other industry players, under Europol’s coordination.
From Schools to Hospitals: Tycoon 2FA Fueled 64,000 Attacks Globally
Security analysts link Tycoon 2FA to tens of millions of phishing emails every month and more than 64,000 recorded phishing incidents, enabling unauthorized access to nearly 100,000 organizations worldwide, from small businesses to hospitals, schools, and public institutions.
SpyCloud’s analysis of stolen data tied to the platform identified over 150,000 phished credentials, with the highest concentration of victims in the United States, followed by the United Kingdom, Canada, India and France.
Cloudflare and Proofpoint describe Tycoon 2FA as a leading adversary-in-the-middle phishing kit driving business email compromise campaigns, lowering the barrier for less skilled criminals to run sophisticated account-takeover attacks.
