Cybercrime Tycoon 2FA Phishing Platform Dismantled in Global Takedown The phishing-as-a-service platform was used to send fraudulent emails to over 500,000 organizations every month. By Eduard Kovacs | March 4, 2026 (1:37 PM ET) Flipboard Reddit Whatsapp Whatsapp Email Europol, Microsoft, and cybersecurity companies on Wednesday announced a joint effort to take down the widely used phishing-as-a-service platform Tycoon 2FA. Tycoon 2FA is a subscription-based platform that enables threat actors to impersonate users, create phishing pages, and bypass multi-factor authentication (MFA). It has allowed malicious hackers to intercept authentication sessions and gain access to targeted email and cloud accounts without triggering alerts. “Tycoon 2FA combined convincing phishing templates, realistic landing pages, and real‑time capture of credentials and authentication codes into an easy‑to‑use package that scaled quickly. By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns,” Microsoft said. According to the tech giant, Tycoon 2FA accounted for roughly 62% of the phishing attempts it blocked last year. The platform had been used to send out tens of millions of phishing emails to 500,000 organizations every month. “Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers,” Microsoft said. The disruption of the cybercrime platform involved court orders, intelligence from major cybersecurity firms, and the seizure of 330 active Tycoon 2FA domains, including control panels and phishing pages. Advertisement. Scroll to continue reading. Law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the UK were involved in disrupting Tycoon 2FA, Europol said . The list of security companies that also participated in the operation includes Cloudflare , Proofpoint , Intel471 , TrendAI , Resecurity, SpyCloud, and eSentire, along with the cryptocurrency exchange Coinbase , the law firm Crowell, and cybersecurity organizations Shadowserver and Health-ISAC. In addition to the takedown of the Tycoon 2FA infrastructure, legal action has been taken against multiple individuals suspected of running the operation, including Saad Fridi, based in Pakistan and believed to be the platform’s main developer. Related : RaccoonO365 Phishing Service Disrupted, Leader Identified Related : SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown Related : 1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is the managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs VMware Aria Operations Vulnerability Exploited in the Wild Honeywell, Researcher Clash Over Impact of Building Controller Vulnerability Iran Cyber Front: Hacktivist Activity Rises, but State-Sponsored Attacks Stay Low Madison Square Garden Data Breach Confirmed Months After Hacker Attack Nick Andersen Appointed Acting Director of CISA US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates Chilean Carding Shop Operator Extradited to US Juniper Networks PTX Routers Affected by Critical Vulnerability Latest News New LexisNexis Data Breach Confirmed After Hackers Leak Files Zurich Acquires Beazley in $11 Billion Deal to Lead Cyberinsurance Hacker Conversations: Inti De Ceukelaire, Raging Against the Machine Creatively How Pirated Software Turns Helpful Employees Into Malware Delivery Agents AI Security Firm JetStream Launches With $34 Million in Seed Funding LastPass Warns of New Phishing Campaign Webinar Today: Designing an OT SOC for Safety, Reliability, and Business Continuity Google Plans Two-Week Release Schedule for Chrome Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move JumpCloud has appointed Roland Palmer as its new Chief Information Security Officer. Nick Andersen has been appointed Acting Director of CISA after the departure of Madhu Gottumukkala. Predictive revenue system company Clari + Salesloft has named Peter Liebert as CISO. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email