Europol Dismantles Tycoon 2FA Phishing Service Linked to 64,000 Attacks
In a significant blow to cybercrime, Europol, in collaboration with various law enforcement agencies and cybersecurity firms, has successfully dismantled Tycoon 2FA, a notorious phishing-as-a-service (PhaaS) platform. This operation marks a pivotal moment in the ongoing battle against cyber threats targeting organizations worldwide.
The Rise and Fall of Tycoon 2FA
Tycoon 2FA emerged in August 2023 as a subscription-based phishing toolkit, quickly becoming one of the largest phishing operations globally. Europol described it as a platform that enabled thousands of cybercriminals to covertly access email and cloud-based service accounts. The service was sold via Telegram and Signal, with prices starting at $120 for a 10-day access or $350 for a month-long subscription to a web-based administration panel.
The primary developer of Tycoon 2FA is alleged to be Saad Fridi, reportedly based in Pakistan. The platform’s administration panel served as a comprehensive hub for configuring, tracking, and refining phishing campaigns. It offered pre-built templates, attachment files for common lure formats, domain and hosting configurations, redirect logic, and victim tracking capabilities. Operators could customize the delivery of malicious content and monitor both valid and invalid sign-in attempts.
Captured information, including credentials, multi-factor authentication (MFA) codes, and session cookies, could be downloaded directly from the panel or forwarded to Telegram for near-real-time monitoring. This functionality allowed cybercriminals to execute adversary-in-the-middle (AitM) credential harvesting attacks at scale.
The Impact of Tycoon 2FA
The scale of Tycoon 2FA’s operations was staggering. Europol reported that the platform generated tens of millions of phishing emails each month, facilitating unauthorized access to nearly 100,000 organizations globally. These included schools, hospitals, and public institutions, highlighting the indiscriminate nature of the attacks.
As part of the coordinated effort to dismantle Tycoon 2FA, 330 domains forming the backbone of the criminal service, including phishing pages and control panels, were taken down. This action significantly disrupted the infrastructure supporting the phishing operations.
Intel 471 characterized Tycoon 2FA as dangerous, linking the kit to over 64,000 phishing incidents and tens of thousands of domains. The platform’s prolific nature was further underscored by Microsoft’s tracking, which identified the operators under the name Storm-1747. In 2025, Tycoon 2FA became the most prolific platform observed by Microsoft, prompting the company to block more than 13 million malicious emails linked to the service in October 2025 alone.
Overall, Tycoon 2FA accounted for approximately 62% of all phishing attempts blocked by Microsoft as of mid-2025, including more than 30 million emails in a single month. The service has been linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.
Geographic Distribution of Victims
Geographic analysis of victim log data by SpyCloud revealed that the United States had the largest concentration of identified victims, totaling 179,264. This was followed by the United Kingdom (16,901), Canada (15,272), India (7,832), and France (6,823). The overwhelming majority of targeted accounts were enterprise-managed or associated with paid domains, reinforcing the conclusion that Tycoon 2FA primarily targeted business environments rather than individual consumer accounts.
The Mechanics of Tycoon 2FA
Tycoon 2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. This approach allowed cybercriminals to establish persistence and access sensitive information even after passwords were reset, unless active sessions and tokens were explicitly revoked. By intercepting session cookies generated during the authentication process, the kit simultaneously captured user credentials and MFA codes, which were subsequently relayed through Tycoon 2FA’s proxy servers to the authenticating service.
The kit employed various techniques to evade detection, including keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages. Additionally, it utilized a broader mix of top-level domains (TLDs) and short-lived fully qualified domain names (FQDNs) to host the phishing infrastructure on Cloudflare. These FQDNs often lasted only 24 to 72 hours, with the rapid turnover complicating detection efforts and preventing the creation of reliable blocklists.
The Aftermath and Ongoing Vigilance
The dismantling of Tycoon 2FA represents a significant victory in the fight against cybercrime. However, it also serves as a reminder of the evolving nature of cyber threats and the need for continuous vigilance. Phishing kits like Tycoon 2FA are designed to be accessible to less technically savvy actors while still offering advanced capabilities for more experienced operators. This flexibility contributes to their widespread use and the substantial impact they can have on organizations worldwide.
In 2025, 99% of organizations experienced account takeover attempts, and 67% experienced a successful account takeover. Of these, 59% of the taken-over accounts had MFA enabled. While not all of these attacks were related to Tycoon 2FA, this statistic underscores the impact of adversary-in-the-middle phishing on enterprises.
Organizations must remain proactive in their cybersecurity efforts, implementing robust security measures, educating employees about phishing threats, and staying informed about the latest developments in cybercrime tactics. The dismantling of Tycoon 2FA is a step forward, but the battle against cyber threats continues.
