Major international operation takes down Tycoon 2FA, a sophisticated phishing platform that enabled mass credential theft and account takeovers across 100,000 organizations worldwide.
Law enforcement agencies and cybersecurity firms have dismantled Tycoon 2FA, a sophisticated phishing-as-a-service (PhaaS) platform that enabled cybercriminals to conduct mass adversary-in-the-middle (AiTM) attacks at scale. The operation, led by Europol, resulted in the takedown of 330 domains that formed the backbone of the criminal service, which had been linked to over 64,000 phishing incidents and tens of millions of malicious emails sent monthly.
Tycoon 2FA first emerged in August 2023 as a subscription-based phishing kit, offering access for as little as $120 for 10 days or $350 per month for a web-based administration panel. The platform provided cybercriminals with pre-built templates, attachment files, domain configuration, and victim tracking capabilities, making sophisticated phishing attacks accessible to less technically savvy actors while offering advanced features for experienced operators.
According to Europol, the platform enabled thousands of cybercriminals to covertly access email and cloud-based service accounts, generating tens of millions of phishing emails each month and facilitating unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions. Microsoft, which tracks the operators under the name Storm-1747, reported blocking more than 13 million malicious emails linked to the service in 2025 alone.
How Tycoon 2FA Worked
The phishing kit specialized in AiTM attacks, intercepting session cookies during the authentication process to bypass multi-factor authentication (MFA). This technique allowed threat actors to establish persistence and access sensitive information even after passwords were reset, unless active sessions and tokens were explicitly revoked.
The platform employed sophisticated evasion techniques including keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages. It also used a rapid turnover of short-lived domains hosted on Cloudflare, with fully qualified domain names lasting only 24 to 72 hours to complicate detection and prevent building reliable blocklists.
Tycoon 2FA's success stemmed from its ability to closely mimic legitimate authentication processes, stealthily intercepting user credentials and session tokens. The kit impersonated trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail, making the phishing attempts highly convincing to victims.
ATO Jumping and Campaign Scale
A particularly concerning technique employed by Tycoon 2FA customers was "ATO Jumping," where compromised email accounts were used to distribute Tycoon 2FA URLs and attempt further account takeover activities. This approach made phishing emails appear to come authentically from a victim's trusted contacts, significantly increasing the likelihood of successful compromise.
The platform's reach was extensive, with phishing emails sent from the kit reaching over 500,000 organizations each month worldwide. Data from Proofpoint showed that Tycoon 2FA accounted for the highest volume of AiTM phishing threats, with over three million messages associated with the phishing kit observed in February 2026 alone.
Industry Response and Impact
Trend Micro, one of the private sector partners in the operation, noted that the PhaaS platform had approximately 2,000 users. The campaigns leveraging Tycoon 2FA indiscriminately targeted almost all sectors, including education, healthcare, finance, non-profit, and government organizations.
Microsoft characterized Tycoon 2FA as "dangerous," highlighting how it enabled threat actors to establish persistence and access sensitive information even after password resets. The company emphasized that the kit's ability to intercept session cookies and MFA codes through proxy servers made it particularly effective at bypassing traditional security measures.
The Broader Threat Landscape
The takedown of Tycoon 2FA comes amid growing concerns about the effectiveness of traditional security measures against sophisticated phishing attacks. Selena Larson, staff threat researcher at Proofpoint, noted that in 2025, 99% of organizations experienced account takeover attempts, with 67% experiencing successful account takeovers. Of these, 59% of the taken-over accounts had MFA enabled, demonstrating the impact of AiTM phishing on enterprises.
"These cyberattacks that enable full account takeovers can lead to disastrous impacts, including ransomware or the loss of sensitive data," Larson said. "As threat actors continue to prioritize identity, gaining access to enterprise email accounts is often the first step in an attack chain that can have destructive consequences."
The dismantling of Tycoon 2FA represents a significant victory for law enforcement and the cybersecurity community, but experts warn that the threat landscape continues to evolve. Phishing kits like Tycoon are designed to be flexible and accessible, making sophisticated attacks available to a wide range of threat actors.
The operation demonstrates the importance of international cooperation in combating cybercrime and the need for organizations to implement comprehensive security measures that go beyond traditional MFA to protect against AiTM attacks and other advanced phishing techniques.
Comments
Please log in or register to join the discussion