Global Law Enforcement Dismantle Massive "Tycoon 2FA" Phishing-as-a-Service Platform Targeting 500,000 Organizations Monthly

Microsoft and Europol take down Tycoon 2FA, a PhaaS platform that bypassed MFA to target 500k organizations monthly. 330 domains seized.

By: AXL Media

Published: Mar 5, 2026, 7:20 AM EST

Source: The information in this article was sourced from ITPro

The Takedown of a Digital Extortion Powerhouse

In a significant victory for global cybersecurity, Microsoft’s Digital Crimes Unit, Europol’s European Cybercrime Centre (EC3), and several private security firms have successfully dismantled the infrastructure of "Tycoon 2FA." Since its emergence in August 2023, the Phishing-as-a-Service (PhaaS) platform has been a primary engine for large-scale account compromises. The coordinated strike resulted in the seizure of 330 domains that formed the operational heart of the service, effectively neutralizing the control panels and landing pages used by cybercriminals to harvest sensitive data.

Bypassing MFA: The Adversary-in-the-Middle Strategy

Tycoon 2FA gained notoriety for its sophisticated use of Adversary-in-the-Middle (AitM) proxying. Unlike traditional phishing that merely steals passwords, this platform acted as a "man-in-the-middle" between the victim and legitimate services like Microsoft 365 or Google. When a user entered their credentials and MFA code, Tycoon 2FA passed them to the real service in real-time. Once the identity was confirmed, the platform intercepted the session token before it reached the victim's browser. This allowed attackers to gain full, authenticated access to accounts without ever needing to trigger a second MFA prompt.

The Democratization of Cybercrime via Low-Cost Kits

The platform significantly lowered the barriers to entry for aspiring cybercriminals by offering a complete, easy-to-use ecosystem. Phishing kits were marketed for as little as $120 for ten days of access, or $350 for a full month. These packages included convincing templates and realistic landing pages that scaled rapidly. By the middle of 2024, Tycoon 2FA was responsible for approximately 62% of all phishing attempts blocked by Microsoft, reaching over 500,000 organizations every month across the education, healthcare, finance, and government sectors.