The post Tycoon 2fa crackdown targets phishing-as-a-service appeared on BitcoinEthereumNews.com.

In a coordinated strike against organized online fraud, investigators and security firms moved this week to disrupt tycoon 2fa and its sprawling phishing infrastructure. Coalition dismantles massive phishing platform A joint operation by Coinbase, Microsoft, and Europol dismantled the core infrastructure of the Tycoon 2FA phishing-as-a-service platform, the companies announced Wednesday. The takedown targeted what authorities describe as one of the world’s largest commercial phishing operations, which had been active since at least 2023. Moreover, investigators say the service industrialized credential theft by selling subscription-based toolkits to criminals. These packages enabled buyers to steal login credentials at scale and systematically bypass multi-factor authentication, turning basic fraud schemes into organized attacks on enterprises worldwide. By mid-2025, Microsoft data showed that Tycoon-linked campaigns accounted for 62% of all phishing attempts the company blocked. At its peak, the platform generated tens of millions of phishing emails every month, flooding inboxes across regions and sectors. The operation facilitated unauthorized access attempts against nearly 100,000 organizations globally, including schools, hospitals, and public institutions. However, the scale of the platform meant many campaigns could be launched by low-skilled actors, who simply rented the tools rather than building their own infrastructure. As part of the takedown, Microsoft blocked 330 domains tied to the service. Law enforcement also seized additional core infrastructure, disrupting the command-and-control systems that coordinated phishing campaigns and handled stolen data. How Tycoon bypassed multi-factor authentication Tycoon operated as a professionalized phishing-as a service network. Its toolkit included spoofed landing pages crafted to closely mimic legitimate login portals for enterprise services, financial accounts, and public-sector systems. When victims entered their credentials, the platform captured session cookies and tokens in real time. Moreover, this approach allowed attackers to hijack authenticated sessions, rather than repeatedly guessing passwords or trying simple brute-force attacks. A session token theft event…

---

Filed under: News - @ March 5, 2026 11:29 am