The Tycoon 2FA phishing-as-a-service platform has continued its operations despite an international crackdown, as reported by cybersecurity firm CrowdStrike. This subscription-based service, active since 2023, enables attackers to execute phishing schemes, bypass multi-factor authentication (MFA), and breach accounts without triggering alerts.
Impact of Tycoon 2FA on Global Cybersecurity
Tycoon 2FA has been linked to a significant portion of phishing attempts intercepted by Microsoft, accounting for 62% of such activities in 2025. The platform generates over 30 million malicious emails monthly, targeting around half a million organizations globally, and has been associated with approximately 96,000 distinct phishing victims worldwide.
International Efforts to Disrupt Tycoon 2FA
In early March, Europol and Microsoft announced the seizure of 330 active domains linked to Tycoon 2FA. This law enforcement operation involved agencies from six countries and a dozen private companies, aiming to dismantle the platform’s operations. Despite these efforts, CrowdStrike reports that the disruption only temporarily affected Tycoon 2FA, with operations quickly returning to pre-takedown levels.
Persistent Threat of Tycoon 2FA
Following the operation, Tycoon 2FA’s activity dropped to about 25% but soon rebounded. CrowdStrike observed that the platform’s tactics, techniques, and procedures (TTPs) remained unchanged, suggesting resilience against the disruption. These TTPs include phishing emails leading to malicious CAPTCHA pages, session cookie theft, and the exploitation of stolen credentials to access cloud environments.
In March, Tycoon 2FA was involved in business email compromise (BEC) phishing, email thread hijacking, and cloud account takeover attacks. Despite some failures due to suspended phishing pages, new IP addresses and phishing domains have been identified, demonstrating the platform’s adaptability.
Future Implications for Cybersecurity
While Tycoon 2FA swiftly recovered post-takedown, the efforts by Europol and private partners may still yield positive outcomes, albeit temporarily. The disruption likely hindered ongoing phishing operations and damaged Tycoon 2FA’s reputation within the eCrime sector. The continued monitoring and intervention could help mitigate the threat this platform poses to global cybersecurity.
