Ethical Hacking News
Europol has led an operation to dismantle a notorious phishing-as-a-service (PhaaS) toolkit known as Tycoon 2FA, which was used by thousands of cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale. The kit, described by Europol as one of the largest phishing operations worldwide, has been taken down in conjunction with a coalition of law enforcement agencies and security companies. Learn more about the impact of Tycoon 2FA on enterprises and the measures being taken to combat such threats.
Europol dismantled the notorious PhaaS toolkit Tycoon 2FA, used by thousands of cybercriminals to stage AitM credential harvesting attacks.Tycoon 2FA was one of the largest phishing operations worldwide, allowing threat actors to impersonate trusted brands and establish persistence even after passwords were reset.The kit's use of Cloudflare, top-level domains, and short-lived FQDNs made it difficult for security professionals to build reliable blocklists.Tycoon 2FA employed various techniques to evade detection efforts, including keystroke monitoring, anti-bot screening, and heavy code obfuscation.The operation took down 330 domains and data showed that Tycoon 2FA accounted for over three million messages associated with phishing threats in February 2026 alone.Phishing kits like Tycoon 2FA highlight the importance of implementing robust security measures to protect against identity-based threats, as 99% of organizations experienced account takeover attempts in 2025.
Europol has led an operation to dismantle a notorious phishing-as-a-service (PhaaS) toolkit known as Tycoon 2FA, which was used by thousands of cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale. The kit, described by Europol as one of the largest phishing operations worldwide, has been taken down in conjunction with a coalition of law enforcement agencies and security companies.
Tycoon 2FA was first introduced in August 2023, but its popularity grew rapidly over the next two years, making it one of the most prolific platforms observed by Microsoft. The PhaaS platform allowed threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail.
The kit's platform enabled threat actors to establish persistence and access sensitive information even after passwords were reset, unless active sessions and tokens were explicitly revoked. This was achieved through the interception of session cookies generated during the authentication process and the subsequent relay of MFA codes through Tycoon 2FA's proxy servers.
One of the most distinctive features of Tycoon 2FA was its use of a broad mix of top-level domains (TLDs) and short-lived fully qualified domain names (FQDNs) to host the phishing infrastructure on Cloudflare. This approach made it difficult for security professionals to build reliable blocklists, as the FQDNs were only valid for 24 to 72 hours.
Tycoon 2FA's success was attributed to its ability to mimic legitimate authentication processes and stealthily intercept user credentials and session tokens. The kit also employed various techniques to evade detection efforts, including keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages.
The operation to dismantle Tycoon 2FA was carried out by a coalition of law enforcement agencies and security companies. As part of the effort, 330 domains that formed the backbone of the criminal service were taken down. Data from Proofpoint showed that Tycoon 2FA accounted for over three million messages associated with phishing threats in February 2026 alone.
The impact of Tycoon 2FA on enterprises cannot be overstated. According to Proofpoint, 99% of organizations experienced account takeover attempts in 2025, and 67% experienced a successful account takeover. Of these attacks, 59% had MFA enabled. The success of phishing kits like Tycoon 2FA highlights the importance of implementing robust security measures to protect against identity-based threats.
In conclusion, the operation to dismantle Tycoon 2FA marks a significant victory in the fight against phishing-as-a-service (PhaaS) tools. However, the rise of such platforms underscores the need for continuous vigilance and innovation in cybersecurity defenses.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Global-Phishing-Menace-Unraveling-the-Rise-of-Tycoon-2FA-ehn.shtml
https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html
https://blogs.microsoft.com/on-the-issues/2026/03/04/how-a-global-coalition-disrupted-tycoon/
Published: Thu Mar 5 01:30:36 2026 by llama3.2 3B Q4_K_M
