A coordinated operation involving Coinbase, Microsoft and Europol has successfully disrupted the infrastructure behind Tycoon 2FA, a large phishing-as-a-service platform used by cybercriminals to bypass multi-factor authentication protections.
Europol confirmed that more than 330 internet domains connected to the phishing service were blocked during the operation. Law enforcement agencies also seized critical backend systems believed to be responsible for managing the phishing campaigns.
The effort targeted a network that had been widely used by hackers to steal login credentials and gain unauthorized access to online accounts.
Phishing Toolkit Designed to Bypass Multi-Factor Authentication
Tycoon 2FA operated as a subscription style service that provided criminals with ready-made phishing tools. The toolkit included fake login pages designed to closely mimic legitimate websites, tricking victims into entering their usernames and passwords.
Beyond basic credential theft, the platform was capable of capturing authentication session tokens stored in a user’s browser. These tokens allow systems to recognize that a user has already verified their identity through multi-factor authentication.
If attackers obtain these tokens, they can potentially bypass MFA protections and access accounts without needing additional verification.
Blockchain Tracking Helped Identify Platform Operators
Investigators said financial tracking played an important role in identifying the individuals involved in running the phishing platform. Coinbase assisted authorities by analyzing blockchain transactions used to fund Tycoon 2FA operations.
These transaction trails helped link payments made by buyers of the phishing service to the platform’s alleged administrator, allowing investigators to map the broader criminal network behind the scheme.
Tycoon 2FA Linked to Massive Global Phishing Campaigns
Cybersecurity experts say Tycoon 2FA had grown into one of the largest phishing operations on the internet. According to Microsoft’s Digital Crimes Unit, the platform accounted for roughly 62% of phishing attempts the company blocked by mid-2025.
During one month alone, Microsoft detected and stopped more than 30 million phishing emails associated with the network.
The attacks affected organizations across several sectors, including healthcare, education and financial services. Victims experienced stolen data, fraudulent invoices, compromised corporate email accounts and in some cases operational disruptions.
Security analysts warn that although the takedown disrupts a major criminal toolset, phishing campaigns remain one of the most persistent threats in the digital economy.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.