One of the most widely used and effective phishing platforms on the threat landscape has been taken down — at least for now.
Europol and several private sector partners, including Microsoft, Trend Micro, and Cloudflare, disrupted the Tycoon 2FA phishing-as-a-service (PhaaS) platform this week in an international operation. In coordination with Europol’s Cyber Intelligence Extension Programme (CIEP), Microsoft seized 330 domains that composed the platform’s user control panels and fake login pages.
Law enforcement agencies, meanwhile, seized Tycoon 2FA infrastructure and conducted other operational measures in Latvia, Lithuanian, Portugal, Poland, Spain, and the UK, according to Europol. The takedown effort disrupts one of the largest and most popular PhaaS platforms in the world, which has been a considerable thorn in the side of security teams since it was first observed in 2023.
“By mid‑2025, Tycoon 2FA accounted for approximately 62 percent of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post.
Masada added that Tycoon 2FA is connected to an estimated 96,000 distinct phishing victims since its inception, including more than 55,000 Microsoft customers.
How Tycoon 2FA Works
Phishing kits and PhaaS platforms have for years streamlined and democratized phishing attacks for mid- to low-skilled hackers by providing them with a suite of tools to create authentic-looking emails and phishing pages that unsuspecting victims will engage with. For a relatively modest fee, budding cybercriminals can subscribe to these services and churn out a higher volume of more convincing attacks.
Like other, newer PhaaS platforms, Tycoon 2FA took the model a step further with advanced defense-evasion techniques, most notably a multifactor authentication (MFA) bypass system that has proven to be quite effective. Instead of using a fake landing page designed to look like a real Microsoft 365 or Google login portal, Tycoon 2FA proxies the real pages to victims in an adversary-in-the-middle (AitM) attack.
When victims enter their credentials and MFA codes into the proxy, Tycoon 2FA actually passes them on to the legitimate Microsoft or Google service to complete the login confirmation. But the platform intercepts the authentication tokens that the identity service sends back to the victims.
“Unlike traditional phishing kits that simply steal static passwords, Tycoon 2FA relayed authentication prompts in real-time to capture live session tokens and cookies,” Cloudflare explained in a research brief on the takedown. “This technical maneuver allowed attackers to inherit a fully authenticated session, effectively rendering SMS codes, authenticator apps, and push notifications useless.”
An attacker can then import the stolen session tokens into their browser, bypassing MFA and taking control of the victim’s account. Cloudflare also noted that cybercriminals frequently used Tycoon 2FA for business email compromise (BEC) campaigns.
“By leveraging hijacked session tokens, attackers embedded themselves within corporate email environments to monitor internal communications and financial workflows,” the company said. “From here, attackers could send legitimate-looking invoices from the compromised account to a third-party partner or vendor.”
Phishing-Resistant MFA as a Key Defense
Tycoon 2FA first emerged in 2023 and was sold via Telegram, initially through the “Saad Tycoon Group” channel, according to Proofpoint, which was one of several private sector partners that assisted with the takedown. For approximately $120, threat actors could use the platform for a limited time to quickly spin up an effective phishing campaign.
Tycoon 2FA isn’t the only PhaaS platform that boasts effective MFA bypasses. Other offerings, such the “VoidProxy” platform and the more recently discovered “Starkiller” tool, use similar approaches to capture session tokens.
But Tycoon 2FA had more going for it than just its ability to defeat MFA protections. Selena Larson, staff threat researcher at Proofpoint, tells Dark Reading that the platform was very popular because it was regularly updated and offered capabilities that made it simple for even unskilled hackers to use.
“The ease of use contributed to its popularity. It also featured anti-analysis techniques like obfuscation, heavy filtering, and CAPTCHAs that were designed to make it harder for researchers and sandboxes to track and identify,” Larson says. “The regular updates to the codebase meant that researchers had to stay on top of detection to identify new campaigns as soon as they emerged in the landscape and potentially write new tooling to detect it.”
Still, Tycoon 2FA’s claim to fame is that it highlighted a weakness in traditional MFA systems that could be exploited by AitM attacks. Therefore, vendors like Cloudflare, Proofpoint, and others that assisted with the takedown operation have encouraged organizations to shift to phishing-resistant MFA schemes, such as those that use FIDO 2-based hardware keys or passkeys.
Larson says its difficult to determine how many companies have implemented these measures during Tycoon 2FA’s run over the past three-plus years. However, she says, in general, it seems more organizations are adopting phishing-resistant MFA.
“And if they haven’t yet, they should consider it,” she says. “Things like physical keys and phishing-resistant multifactor authentication enabled via conditional access policies can be a great protection against MFA-targeted phishing.”
Trend Micro, which also assisted with the takedown operation, noted in a blog post that the work isn’t done. “Operators have always been known to adapt, rebuild, and migrate to new infrastructure,” Trend Micro researchers wrote in a blog post. “Known and suspected users of Tycoon 2FA can attempt to continue operations, and previously stolen credentials and session cookies remain in circulation.”
As a result, Trend Micro and other participating partners will continue monitoring for Tycoon 2FA activity and gather intelligence on potential comeback efforts. Other private sector partners included in this operation are Coinbase, Intel471, the Shadowserver Foundation and SpyCloud.
Source: www.darkreading.com…