In a significant blow to cybercrime, a coalition of tech companies and law enforcement agencies, including Coinbase and Microsoft, has dismantled the core infrastructure of Tycoon 2FA, a notorious phishing-as-a-service platform. The operation, announced by Europol, marks a crucial step in the ongoing battle against sophisticated online threats.
Phishing remains a pervasive issue in the digital landscape, and platforms like Tycoon 2FA have been instrumental in lowering the technical barrier for criminals to execute sophisticated attacks. According to Europol, Microsoft played a pivotal role in blocking 330 domains linked to the platform, while law enforcement seized additional key infrastructure. This collaborative effort not only disrupts the operations of Tycoon 2FA but also sends a strong message to other cybercriminals.
The Role of Financial Tracing
Financial tracing was a critical aspect of the operation. Coinbase, a leading cryptocurrency exchange, assisted by tracing blockchain-related transactions that funded Tycoon 2FA. This forensic work helped identify the platform’s alleged administrator and buyers, providing law enforcement with actionable intelligence.
“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and initial access, and forces criminals to rebuild, retool, and take on more risk,” said a Coinbase spokesperson.
The Threat Landscape
Phishing scams have been flagged as the second-largest threat in 2025 by blockchain security firm Certik, costing crypto investors $722 million across 248 incidents. PeckShield, a cybersecurity firm, noted that phishing remains a “persistent threat” in 2026, highlighting the ongoing need for vigilance and advanced security measures.
Tycoon 2FA’s toolkit included high-fidelity spoofed landing pages designed to steal user credentials on legitimate websites. It also captured session cookies and tokens, allowing attackers to bypass multi-factor authentication (MFA) protections. When a user logs in using MFA, the system generates a session token stored in the user’s browser. If a hacker steals this token, they can use it to bypass MFA, making phishing a reliable on-ramp for larger crimes like account takeovers and business email compromise.
The Scale of the Operation
Tycoon 2FA has been active since at least 2023, and by mid-2025, it accounted for 62% of phishing attempts Microsoft blocked, including over 30 million emails in a single month. Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, emphasized the platform’s global impact: “That placed Tycoon 2FA among the largest phishing operations globally. By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns.”
The impact of Tycoon 2FA extended beyond the cryptocurrency sector. Industries from healthcare to education fell victim to its campaigns, resulting in rerouted invoices, stolen sensitive data, locked networks, and disruptions to patient care. The takedown of this infrastructure is a significant win for cybersecurity, helping to protect individuals and organizations from a wide range of follow-on attacks.
Looking Forward
The dismantling of Tycoon 2FA is a testament to the power of collaboration between tech companies and law enforcement. However, the battle against cybercrime is far from over. As new threats emerge, it is crucial for the industry to remain vigilant and continue to innovate in security measures. The success of this operation sets a precedent for future collaborations and underscores the importance of a coordinated approach in combating cyber threats.
About the Author
