Tycoon 2FA accounted for nearly 62pc of all phishing attempts blocked by Microsoft by mid-2025.
The joint cybersecurity operation disrupted one of the world’s largest phishing platforms, called ‘Tycoon 2FA’, which is used to bypass multi-factor authentication (MFA) and hack accounts.
The operation was coordinated by Europol’s European Cybercrime Centre, while the technical disruption was led by Microsoft. Industry partners also include Cloudflare, Coinbase, Proofpoint and Esentire, among other industry partners.
Japanese cybersecurity firm Trend Micro shared the intelligence that allowed the investigation to begin, Europol noted. Meanwhile, law enforcement authorities from several European countries, including Spain and the UK, are also involved.
Tycoon 2FA provided hackers with a subscription-based toolkit that hosted live authentication sessions to gain unauthorized access to online accounts, including those protected by additional layers of security.
The platform has been active since at least 2023, according to Europol, and has enabled “thousands” of hackers to access email and cloud-based service accounts. Experts determined that the platform generated “tens of millions” of phishing emails every month, trying to reach nearly 100,000 organizations worldwide, including schools, hospitals and community centers.
“Campaigns promoting Tycoon 2FA have been seen in nearly every sector including education, healthcare, finance, non-profit and government,” Microsoft said.
“Its rise in popularity among cybercriminals may be due to disruption of other phishing services”, it noted.
Tycoon 2FA accounted for nearly 62pc of all phishing attempts blocked by Microsoft by mid-2025. Its platform allowed malicious actors to impersonate trusted products by copying login pages, including Microsoft’s personal 365, OneDrive, or Gmail. It also allowed hackers to access sensitive information even after passwords were reset.
Targets are lured by phishing emails that contain attachments with svg, pdf, html or docx files, often embedded with QR codes or JavaScript. Also, to avoid detection, platforms use techniques such as anti-bot checks, browser fingerprints and automated Captchas.
A joint industry and law enforcement effort led to the disruption of 330 sites that make up the core infrastructure of the crime service, including phishing pages and control panels.
However, Microsoft points out that Tycoon2FA reflects “the evolution of phishing services in response to advances in enterprise security”. The forum shows how cybercriminals adapt resources, infrastructure and evasion strategies to stay ahead of detection.
Recently, Google and iVerify highlighted the existence of a hacking method, with suspected US origin, that is now being used by bad actors to install outdated iPhones.
Meanwhile, Amazon last month highlighted how commercial AI is being used by less experienced hackers to increase cyberattacks on businesses.
Don’t miss out on the information you need to succeed. Sign up for Daily BriefSilicon Republic’s digest of must-know sci-tech news.
