Europol, alongside private-sector partners including Microsoft, Trend Micro, and Cloudflare, has successfully disrupted the infrastructure of Tycoon 2FA, a widely distributed phishing-as-a-service (PhaaS) platform.
In coordination with Europol’s Cyber Intelligence Extension Programme (CIEP), Microsoft seized 330 domains that supported the platform’s control panels and credential-harvesting pages. Concurrently, law enforcement agencies secured physical infrastructure and conducted operational measures across Latvia, Lithuania, Portugal, Poland, Spain, and the UK.
The scale of Tycoon 2FA operations
Since its initial observation in 2023, Tycoon 2FA grew to support a massive volume of unauthorized access attempts. According to Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, the platform accounted for approximately 62 percent of all phishing attempts blocked by Microsoft by mid-2025, reaching over 30 million emails in a single month.
Data indicates the platform impacted an estimated 96,000 distinct entities since its inception, including tens of thousands of corporate environments.
Mechanism of action: Adversary-in-the-middle
Tycoon 2FA's primary technical differentiator was its adversary-in-the-middle (AitM) architecture. Rather than presenting static, fake landing pages, the platform proxied legitimate Microsoft 365 or Google authentication sessions to targeted users in real time.
When a user provided their credentials and traditional multifactor authentication (MFA) codes, the proxy forwarded them to the legitimate service. Upon successful login, the platform intercepted the resulting authentication tokens. Threat actors could then import these tokens into their own browsers to inherit fully authenticated sessions, rendering SMS codes, authenticator apps, and push notifications ineffective.
Cloudflare researchers noted that unauthorized parties frequently used these hijacked sessions to monitor internal communications and enable business email compromise (BEC) campaigns. Once authenticated, actors could embed themselves in financial workflows, allowing them to issue fraudulent invoices or redirect payments from trusted, internal accounts.
Evasion techniques and accessibility
Distributed primarily via Telegram for a nominal fee of approximately $120, the service lowered the technical barrier to entry for threat actors. Proofpoint staff threat researcher Selena Larson observed that the platform maintained its popularity through ease of use and consistent updates to its codebase.
To obscure its infrastructure from security researchers and automated scanning tools, Tycoon 2FA incorporated anti-analysis mechanisms, heavy traffic filtering, and CAPTCHAs. These features required defenders to continuously update detection tooling to identify newly provisioned campaigns.
Strengthening defenses with phishing-resistant MFA
The operational success of Tycoon 2FA demonstrates the limitations of traditional, non-cryptographic MFA implementations against AitM methodologies. The security community strongly recommends that organizations transition to phishing-resistant authentication frameworks to protect their identities.
Implementing FIDO2-based hardware security keys or passkeys, combined with strict conditional access policies, provides structural protection against token interception. These methods ensure that authentication is cryptographically bound to the legitimate origin domain, preventing proxy services from capturing usable session data.
While the recent takedown significantly degrades the platform's capabilities, Trend Micro researchers caution that threat actors often migrate to new infrastructure, and previously harvested session cookies may remain active. In response, organizations should revoke suspicious active sessions, continuously monitor authentication logs, and prioritize the deployment of phishing-resistant MFA to safeguard their environments against future iterations of this methodology.