- Law enforcement dismantled Tycoon 2FA, a major Phishing-as-a-Service platform used in tens of thousands of credential theft attacks.
- The kit enabled threat actors to steal passwords, bypass multi-factor authentication (MFA), and hijack active sessions from over 500,000 organizations globally.
- Coordinated action by Europol and private partners seized 330 domains central to the service’s infrastructure.
- The platform was subscription-based, generating millions of malicious emails monthly and facilitating unauthorized access to nearly 100,000 organizations.
A major criminal phishing service responsible for widespread cyberattacks against schools, hospitals, and governments has been dismantled in a landmark international operation. Tycoon 2FA, a prolific Phishing-as-a-Service (PhaaS) toolkit, was taken down by a coalition of law enforcement agencies and security companies, according to Europol.
The subscription-based platform, which first emerged in August 2023, allowed cybercriminals to stage sophisticated adversary-in-the-middle (AiTM) attacks. Consequently, it became the most prolific platform observed by Microsoft in 2025, which blocked over 13 million malicious emails linked to the service.
Tycoon 2FA’s administrators offered the kit for a starting price of $120 for 10 days, providing a web-based panel to manage campaigns. Data shows the service had approximately 2,000 users who targeted nearly 100,000 organizations globally. The platform generated tens of millions of phishing emails each month, indiscriminately targeting the education, healthcare, and finance sectors.
The kit was particularly dangerous because it specialized in bypassing multi-factor authentication (MFA) by intercepting session cookies and one-time codes. Microsoft said it allowed threat actors to “establish persistence and to access sensitive information even after passwords are reset.” Proofpoint data indicates the kit accounted for the highest volume of AiTM phishing threats, with over three million associated messages observed in February 2026 alone.
As part of the coordinated takedown, authorities seized 330 domains that formed the backbone of the criminal service. Intel 471 noted the kit was linked to over 64,000 phishing incidents. The operation disrupts a key tool that enabled thousands of criminals to covertly access email and cloud service accounts at an industrial scale.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- $1B Inflows Fuel Crypto Rebound As Bitcoin Surges Past $70K
- Senator: White House Staff May Have Profited Off Iran Strikes
- Arthur Hayes Warns Bitcoin Rally Could Be a ‘Dead Cat Bounce’
- A16z Seeks $2B for New Crypto Venture Fund
- AI Giants Pledge to Pay for Power Grid Strain
