Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Europol-coordinated Action Disrupts Tycoon2FA Phishing Platform, Bringing an End to Tens of Millions of Phishing Messages




Europol-coordinated Action Disrupts Tycoon2FA Phishing Platform, Bringing an End to Tens of Millions of Phishing Messages

A global effort by Europol has resulted in the disruption of a notorious phishing-as-a-service (PhaaS) platform known as Tycoon2FA. The operation, carried out in collaboration with major technology companies and law enforcement agencies from several countries, had the effect of halting tens of millions of phishing messages each month.



  • Europol led an international operation to disrupt PhaaS platform Tycoon2FA.
  • The operation was carried out with the help of Microsoft, Trend Micro, and other organizations.
  • Tycoon2FA had compromised over 100,000 accounts worldwide since August 2023.
  • The platform generated tens of millions of phishing emails per month.
  • Tycoon2FA allowed attackers to bypass MFA protections and impersonate trusted brands.
  • 330 domains were seized during the joint operation, significantly impacting Tycoon2FA's operations.



    • Europol has led a coordinated international law enforcement operation that resulted in the disruption of the notorious phishing-as-a-service (PhaaS) platform known as Tycoon2FA. The action was taken in collaboration with Microsoft, Trend Micro, Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, and SpyCloud, among others.

    According to Europol, a significant amount of intelligence gathered by Trend Micro had sparked an investigation that culminated in the joint operation. This information was disseminated through Europol's EC3 Advisory Groups and operational networks, allowing for the development of a coordinated strategy to take down Tycoon2FA. The seizure of infrastructure and other operational measures were carried out by law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.

    Tycoon2FA had been an active threat since at least August 2023, with its primary function being used by cybercriminals to bypass multi-factor authentication (MFA) protections. This resulted in compromised accounts belonging to nearly 100,000 organizations worldwide, including government institutions, schools, and healthcare organizations. According to Microsoft, Tycoon2FA generated tens of millions of phishing emails each month, reaching more than 500,000 organizations by mid-2025.

    The platform operated as an adversary-in-the-middle (AITM) service that allowed attackers to intercept victims' login credentials and session cookies in real-time, even though the login process appeared to succeed normally from the victims' perspective. Tycoon2FA provided threat actors with the ability to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail.

    A key feature of the platform was its ability to establish persistence and access sensitive information even after passwords were reset, unless active sessions and tokens were explicitly revoked. This worked by capturing session cookies generated during the authentication process and relaying MFA codes through Tycoon2FA's proxy servers to the authenticating service.

    The availability of this service for sale on Telegram at a price of $120 for 10 days of access further lowered the barrier for low-skilled criminals to launch sophisticated, MFA-bypassing attacks at scale. However, the recent joint operation by Europol and its coalition of private partners has brought an end to these malicious activities.

    In total, 330 domains part of Tycoon2FA's backbone infrastructure were seized and taken offline during the joint action, significantly impacting the platform's ability to carry out its operations.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Europol-coordinated-Action-Disrupts-Tycoon2FA-Phishing-Platform-Bringing-an-End-to-Tens-of-Millions-of-Phishing-Messages-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/europol-coordinated-action-disrupts-tycoon2fa-phishing-platform/

  • https://www.computerweekly.com/news/366639642/Tycoon2FA-phishing-platform-dismantled-in-major-operation

  • https://industrialcyber.co/ransomware/global-cyber-threat-campaigns-escalate-as-apt-groups-target-critical-sectors-intel-471-reports/

  • https://www.intel471.com/blog/the-phrack-leak-examining-an-apts-workstation

  • https://www.shadowserver.org/

  • https://en.wikipedia.org/wiki/Shadowserver_Foundation

  • https://spycloud.com/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/


    • Published: Wed Mar 4 12:03:59 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us