Major Phishing Platform 'Tycoon 2FA' Dismantled Through Joint Effort by Europol, Microsoft and Coinbase

A collaborative operation between major technology firms and international law enforcement agencies has successfully disrupted Tycoon 2FA, a significant phishing-as-a-service operation that provided cybercriminals with sophisticated credential-stealing capabilities.

An alliance comprising technology corporations and law enforcement authorities, with Coinbase among them, has successfully taken down the central infrastructure powering Tycoon 2FA, a significant phishing-as-a-service operation that provided cybercriminals with capabilities to circumvent multi-factor authentication systems.

On Wednesday, Europol made public that Microsoft contributed by blocking 330 domains connected to the operation, with law enforcement agencies seizing other critical infrastructure components.

Financial investigation played a crucial role in the operation. According to Coinbase, the company provided assistance through tracking blockchain transactions that financed Tycoon 2FA, leading to the identification of both the platform's suspected administrator and its customers.

Taking Tycoon's core infrastructure offline cuts off a major pipeline for credential theft and initial access, and forces criminals to rebuild, retool, and take on more risk.
Coinbase

Microsoft has helped block 330 domains linked to Tycoon 2FA — 330 domains associated with Tycoon 2FA were blocked with Microsoft's assistance. Source: Europol

Blockchain security company Certik identified phishing scams as the second-most significant threat in 2025, with crypto investors losing $722 million throughout 248 separate incidents. On Monday, a PeckShield representative informed Cointelegraph that phishing continues to represent a "persistent threat" in 2026.

Tycoon tools used to bypass multi-factor authentication

The toolkit provided by Tycoon featured fraudulent landing pages crafted to capture user login credentials from authentic websites. Additionally, it harvested session cookies and tokens, enabling threat actors to circumvent MFA security measures, as reported by Coinbase.

Typically, when users authenticate using MFA, the platform creates a session token. This token serves as authentication verification and gets saved in the user's web browser. When cybercriminals obtain this token, they can leverage it to deceive the system and circumvent MFA.

Cryptocurrencies, Phishing, Business, Cybercrime, Cybersecurity, Scams — Source: Paul Grewal

That combination, high-fidelity lures plus session-token theft, turns phishing into a reliable on-ramp for bigger crimes like account takeovers, business email compromise, invoice fraud, and follow-on social engineering.
Coinbase

One of the largest scam platforms in the world

According to Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, Tycoon has been operational since at least 2023. By the middle of 2025, Tycoon was responsible for 62% of phishing attempts that Microsoft intercepted, which included more than 30 million emails within just one month.

That placed Tycoon 2FA among the largest phishing operations globally. By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns.
Steven Masada, Microsoft Digital Crimes Unit

According to Masada, sectors ranging from healthcare to education became victims of Tycoon 2FA, leading to redirected invoices, compromised sensitive information, encrypted networks and interruptions to patient care services.

Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow‑on attacks such as data theft, ransomware, business email compromise, and financial fraud.
Steven Masada