In a significant crackdown on cybercrime, Europol has successfully dismantled a notorious phishing-as-a-service (PhaaS) operation known as Tycoon 2FA. This platform, which facilitated large-scale adversary-in-the-middle (AitM) credential harvesting attacks, was operated as a subscription service. Initiated in August 2023, Tycoon 2FA was among the largest global phishing operations, offering services starting at $120 for ten days or $350 for a monthly web administration panel access.
The Mechanics of Tycoon 2FA
The Tycoon 2FA platform provided cybercriminals with a web-based administration panel that allowed for the configuration, tracking, and optimization of phishing campaigns. This included pre-built templates, domain configurations, and victim tracking capabilities. Users could manage how malicious content was delivered and monitor sign-in attempts. The stolen credentials, multi-factor authentication (MFA) codes, and session cookies were accessible for download directly from the panel or could be forwarded to Telegram for real-time updates.
Europol highlighted the extensive reach of the platform, which enabled unauthorized access to nearly 100,000 organizations worldwide, including educational institutions, healthcare facilities, and public entities. The operation’s shutdown involved taking down 330 domains integral to the phishing infrastructure.
Impact and Scale of the Attack
Intel 471 characterized Tycoon 2FA as a dangerous tool responsible for over 64,000 phishing incidents. Microsoft, tracking the group under the name Storm-1747, reported that Tycoon 2FA was the most prolific phishing platform observed in 2025, with over 13 million malicious emails blocked. Proofpoint data further revealed that Tycoon 2FA was linked to the highest volume of AitM phishing threats, with over three million associated messages detected in February 2026 alone.
Targeting a broad range of sectors, including finance, healthcare, and government, the phishing emails reached over 500,000 organizations monthly. The platform’s ability to mimic sign-in pages for services such as Microsoft 365 and Gmail allowed threat actors to establish persistence and access sensitive information even after password changes.
Advanced Techniques and Strategies
Tycoon 2FA employed sophisticated techniques such as keystroke monitoring and browser fingerprinting to avoid detection. The platform used a variety of top-level domains and short-lived domain names to host its infrastructure, complicating efforts to block phishing attempts. A technique known as ATO Jumping was also leveraged, where compromised email accounts were used to distribute phishing URLs, increasing the chances of successful account takeovers.
Phishing kits like Tycoon are designed to be user-friendly yet offer advanced features, appealing to both novice and experienced cybercriminals. According to Selena Larson, a threat researcher at Proofpoint, 99% of organizations faced account takeover attempts in 2025, with 67% experiencing successful breaches. These attacks, often linked to AiTM phishing, can lead to severe consequences, including ransomware attacks and data breaches.
The dismantling of Tycoon 2FA marks a critical step in combating cybercrime, highlighting the importance of collaborative efforts between law enforcement and cybersecurity firms to protect organizations from evolving threats.
