Europol-Led Operation Disrupts Tycoon 2FA Phishing Scheme Linked to Thousands of Attacks

Key Findings

Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform, was dismantled by a coalition of law enforcement agencies and security companies led by Europol.
The subscription-based phishing kit, which emerged in August 2023, was described as one of the largest phishing operations worldwide.
Tycoon 2FA's primary developer is alleged to be Saad Fridi, who is said to be based in Pakistan.
The platform enabled thousands of cybercriminals to covertly access email and cloud-based service accounts, generating tens of millions of phishing emails each month and facilitating unauthorized access to nearly 100,000 organizations globally.
As part of the coordinated effort, 330 domains that formed the backbone of the criminal service have been taken down.

Tycoon 2FA was one of the prominent phishing-as-a-service (PhaaS) toolkits that allowed cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale.
The kit was sold via Telegram and Signal for a starting price of $120 for 10 days or $350 for access to a web-based administration panel for a month.
The panel served as a hub for configuring, tracking, and refining campaigns, featuring pre-built templates, attachment files, domain and hosting configuration, redirect logic, and victim tracking.
Operators could also configure how the malicious content was delivered through attachments and keep tabs on valid and invalid sign-in attempts.
The captured information, such as credentials, multi-factor authentication (MFA) codes, and session cookies, could be downloaded directly within the panel or forwarded to Telegram for near-real-time monitoring.

Tycoon 2FA was linked to over 64,000 phishing incidents and tens of thousands of domains, generating tens of millions of phishing emails each month.
Microsoft blocked more than 13 million malicious emails linked to the crimeware service in October 2025, with Tycoon 2FA accounting for approximately 62% of all phishing attempts blocked by the company as of mid-2025.
The service has been linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.
Geographic analysis of victim log data indicates that the U.S. had the largest concentration of identified victims, followed by the U.K., Canada, India, and France.
Tycoon 2FA accounted for the highest volume AitM phishing threats, with Proofpoint observing over three million messages associated with the phishing kit in February 2026 alone.

The kit employed techniques like keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages to sidestep detection efforts.
It also used a broader mix of top-level domains (TLDs) and short-lived fully qualified domain names (FQDNs) to host the phishing infrastructure on Cloudflare, with the FQDNs often lasting only 24 to 72 hours.
Tycoon 2FA's success was attributed to closely mimicking legitimate sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail, allowing threat actors to establish persistence and access sensitive information even after passwords were reset.

https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html
https://x.com/TweetThreatNews/status/2029592908316209514
https://www.reddit.com/r/SecOpsDaily/comments/1rlbt75/europolled_operation_takes_down_tycoon_2fa/
https://www.linkedin.com/posts/dlross_europol-led-operation-takes-down-tycoon-2fa-activity-7435451598480445440-9gLx