In a joint public-private partnership between law enforcement agencies and cyber security industry partners one of the world’s most effective phishing platforms has been dismantled.
First appearing in August 2023, Tycoon 2FA was specifically designed to help fraudsters log into accounts protected by multi-factor authentication and steal session cookies, and was responsible for tens of millions of fraudulent emails and tens of thousands of verified victims worldwide.
What many computer users don’t realize is that while enabling multi-factor authentication (MFA) on their Microsoft 365 or Gmail accounts is recommended and strengthens their security against hackers, it doesn’t make it impossible for them to be breached.
The key trick of Tycoon 2FA was how to bypass MFA by sitting between the victim and the official service. The fake website that looked like the real one doesn’t just collect the victim’s login information – it simply forwards it to the real site in real time, acting as a transparent proxy. If the victim enters their one-time password on the fake site, it is transferred to the real site before it expires, and the attack achieves a fully authenticated session.
For a starting price of around US $120 per month, Tycoon 2FA customers gain access through Telegram’s private channels to an off-the-shelf phishing kit, allowing even those with limited expertise to run sophisticated account takeover campaigns on a large scale.
By mid-2025, Tycoon 2FA is said to have accounted for nearly 62% of all phishing attempts blocked by Microsoft, including more than 30 million emails in a single month.
According to reports, health care and education organizations were hit hard by more than 100 members of the group threatening to share the Health-ISAC target. In New York alone, at least two hospitals, six public schools, and three universities have faced attempted or successful compromises — causing disruptions and delays in patient care and operations.
Operates under the US. court order, Microsoft seized 330 active domains powering Tycoon’s 2FA core infrastructure. Meanwhile, law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the UK also seized infrastructure used by the crime.
The technology company Cloudflare went further, announcing that it has banned thousands of Employee domains and projects, suspended related accounts, and deleted all associated Employee documents – blocking the work of the kit agent on the edge. For domains that cannot be legally seized as local law enforcement agencies are uncooperative, Cloudflare has issued warning pages to prevent victims trying to access phishing links.
It’s obviously a good thing that one of the biggest phishing sites out there has been taken off the internet. But it must be remembered that the cybercrime industry hates space, and chances are that other exploiters may quickly fill that space.
One lesson you should learn is that not all MFAs are created equal. In the past we have encouraged users not to rely on SMS-based multi-factor authentication due to the problem of SIM-swapping attackers where fraudsters transfer access codes to phones under their control. Tycoon-style proxy attacks, on the other hand, are more difficult for fraudsters to pull off successfully if users protect their accounts with hardware security keys or passkeys.
