Global Operation Targets Major Phishing Platform
A coalition of technology companies and law enforcement agencies has dismantled the core infrastructure behind Tycoon 2FA, a phishing-as-a-service platform used by cybercriminals to bypass multi-factor authentication and steal credentials.
The takedown involved cooperation between Coinbase, Microsoft, and the European law enforcement agency Europol.
According to Europol, Microsoft helped block 330 domains associated with the phishing operation, while law enforcement agencies seized additional infrastructure used to run the service.
The crackdown also relied heavily on financial tracing. Coinbase analysts tracked blockchain transactions connected to Tycoon 2FA, helping investigators identify both the platform’s alleged administrator and several buyers who used its tools.
One of the Largest Phishing Operations
Tycoon 2FA had been active since at least 2023 and quickly grew into one of the most significant phishing infrastructures on the internet.
Steven Masada of Microsoft’s Digital Crimes Unit said the platform was responsible for 62% of phishing attempts Microsoft blocked by mid-2025.
In one month alone, the system generated more than 30 million phishing emails, making it one of the largest phishing campaigns ever observed.
Masada said the platform lowered the technical barrier for cybercriminals by providing ready-made tools that allowed even inexperienced attackers to launch sophisticated impersonation campaigns.
How Tycoon 2FA Bypassed Security Systems
Tycoon 2FA operated by generating spoofed login pages designed to mimic legitimate websites. Victims would enter their usernames and passwords on these fake pages, believing they were authentic.
The platform went further by capturing session cookies and authentication tokens. Normally, when users complete a login process with multi-factor authentication, a session token is generated and stored in their browser.
If attackers steal that token, they can reuse it to bypass security checks and gain access to accounts without needing the second authentication factor.
Coinbase explained that combining realistic phishing pages with token theft allowed criminals to easily conduct account takeovers and other forms of fraud.
Wider Impact Beyond Crypto
Although the crypto sector has been a frequent target, Tycoon’s phishing tools were used across many industries, including healthcare, education, and corporate environments.
Victims reported incidents involving stolen data, hijacked email accounts, redirected invoices, and ransomware attacks.
Microsoft noted that the platform’s widespread availability made it particularly dangerous because it enabled criminals with minimal technical knowledge to run complex phishing operations.
Phishing Remains a Major Crypto Threat
Security researchers warn that phishing attacks remain one of the biggest risks facing crypto users.
Blockchain security firm CertiK reported that phishing scams ranked as the second-largest crypto security threat in 2025, causing $722 million in losses across 248 incidents.
A spokesperson from PeckShield recently described phishing as a “persistent threat” that continues to evolve in 2026 despite improved security tools.
Disrupting the Criminal Ecosystem
By shutting down Tycoon 2FA’s infrastructure, authorities have temporarily disrupted a major pipeline for credential theft.
However, cybersecurity experts caution that phishing networks tend to reappear quickly, often under new names or platforms.
Still, the joint operation marks a significant victory in the ongoing fight against cybercrime - particularly as phishing remains one of the most effective entry points for large-scale financial fraud.
