Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks

Tycoon 2FAone of the most prominent phishing-as-a-service (PhaaS) tools that allowed cybercriminals to conduct attack-in-the-middle (AitM) attacks at scale, was dismantled by a coalition of law enforcement agencies and security companies.

The registry-based phishing kit, which first appeared in August 2023, was described by Europol as one of the biggest phishing operations in the world. The kit was available for an introductory price of $120 for 10 days or $350 for the web-based management panel for a month.

The panel serves as a hub for preparing, tracking, and refining campaigns. It includes pre-built templates, attachment files for common bait formats, domain and host configuration, redirection understanding, and victim tracking. Operators can also configure how malicious content is delivered via attachments, as well as keeping tabs on valid and invalid login attempts.

Captured information, such as credentials, multi-factor authentication (MFA) codes and session cookies, can be downloaded directly from within the panel or forwarded to Telegram for near real-time monitoring.

“It has helped thousands of cybercriminals secretly access email and cloud-based service accounts,” Europol said. “At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations worldwide, including schools, hospitals, and community centers.”

As part of the coordinated effort, 330 domains that form the backbone of criminal activity, including phishing pages and control panels, have been taken down.

Describing Tycoon 2FA as “dangerous,” Intel 471 said the kit has been linked to more than 64,000 phishing incidents and tens of thousands of domains, generating tens of millions of phishing emails each month. According to Microsoft, following the trail of service workers under the name Storm-1747, Tycoon 2FA was the most effective platform seen by the company in 2025, blocking more than 13 million malicious emails connected to the criminal service.

Tycoon 2FA Evolution Timeline (Source: Point Wild)

Data from Proofpoint shows that Tycoon 2FA had the highest number of phishing threats for AiTM. The email security firm said it saw more than three million messages related to the phishing kit in February 2026 alone. Trend Micro, which was one of the private sector partners in the project, noted that the PhaaS platform has nearly 2,000 users.

Campaigns promoting Tycoon 2FA have indiscriminately targeted almost every sector, including education, health, finance, non-profit, and government. Phishing emails sent from the kit reach over 500,000 organizations every month worldwide.

“The Tycoon 2FA platform enabled malicious actors to impersonate trusted products by impersonating login pages for services such as Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail,” Microsoft said.

“It also allowed malicious actors using its service to gain persistence and access to sensitive information even after passwords were reset, unless the active sessions and tokens were explicitly revoked. This worked by intercepting the session cookies generated during the authentication process, at the same time capturing user information. The MFA codes were then transferred to the Tyscathe2FA server of the Tycoon service.”

The kit also used techniques such as key monitoring, anti-bot testing, browser fingerprinting, heavy code obfuscation, automated CAPTCHAs, custom JavaScript, and dynamic decoy pages to evade detection attempts. Another key feature is the use of a wide mix of temporary top-level domains (TLDs) and fully qualified domain names (FQDNs) to contain the phishing infrastructure at Cloudflare.

FQDNs usually last only 24 to 72 hours, and the immediate benefit is a deliberate effort to combine discovery and prevention to build trusted lists. Microsoft also claimed that the success of Tycoon 2FA closely mimics legitimate authentication processes to capture user credentials by stealth and time tokens.

To make matters worse, Tycoon 2FA customers have used a technique called ATO Jumping, where a compromised email account is used to distribute Tycoon 2FA URLs and attempt other account takeover activities. “Using this technique makes emails look like they’re coming from a trusted contact, which increases the likelihood of reverse success,” notes Proofpoint.

Phishing kits like the Tycoon are designed to be flexible enough to be accessible to less technically savvy players while offering advanced capabilities to more experienced operators.

“By 2025, 99% of organizations had account takeover attempts by 2025, and 67% were successful account takeovers,” said Selena Larson, staff threat researcher at Proofpoint, in a statement shared with Hacker News. “Of these, 59% of the accounts taken were MFA enabled. While not all of these attacks are related to Tycoon MFA, this shows the impact of AiTM phishing on businesses.”

“These cyber attacks that allow full account takeover can lead to catastrophic consequences, including ransomware or the loss of sensitive data. As threat actors continue to prioritize identity, gaining access to business email accounts is often the first step in a chain of attacks that can have devastating consequences.”