TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBER RISK IDENTITY & ACCESS MANAGEMENT SECURITY ENDPOINT SECURITY NEWS Tycoon 2FA Goes Boom as Europol, Vendors Bust Phishing Platform The phishing-as-a-service platform was popular among cyber threat actors because of its ability to bypass multifactor authentication defenses. Rob Wright,Senior News Director,Dark Reading March 5, 2026 5 Min Read SOURCE: MARTYN VICKERY VIA ALAMY STOCK PHOTO One of the most widely used and effective phishing platforms on the threat landscape has been taken down — at least for now. Europol and several private sector partners, including Microsoft, Trend Micro, and Cloudflare, disrupted the Tycoon 2FA phishing-as-a-service (PhaaS) platform this week in an international operation. In coordination with Europol's Cyber Intelligence Extension Programme (CIEP), Microsoft seized 330 domains that composed the platform's user control panels and fake login pages. Law enforcement agencies, meanwhile, seized Tycoon 2FA infrastructure and conducted other operational measures in Latvia, Lithuanian, Portugal, Poland, Spain, and the UK, according to Europol. The takedown effort disrupts one of the largest and most popular PhaaS platforms in the world, which has been a considerable thorn in the side of security teams since it was first observed in 2023. "By mid‑2025, Tycoon 2FA accounted for approximately 62 percent of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally," Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post. Related:LatAm Now Faces 2x More Cyberattacks Than US Masada added that Tycoon 2FA is connected to an estimated 96,000 distinct phishing victims since its inception, including more than 55,000 Microsoft customers. How Tycoon 2FA Works Phishing kits and PhaaS platforms have for years streamlined and democratized phishing attacks for mid- to low-skilled hackers by providing them with a suite of tools to create authentic-looking emails and phishing pages that unsuspecting victims will engage with. For a relatively modest fee, budding cybercriminals can subscribe to these services and churn out a higher volume of more convincing attacks. Like other, newer PhaaS platforms, Tycoon 2FA took the model a step further with advanced defense-evasion techniques, most notably a multifactor authentication (MFA) bypass system that has proven to be quite effective. Instead of using a fake landing page designed to look like a real Microsoft 365 or Google login portal, Tycoon 2FA proxies the real pages to victims in an adversary-in-the-middle (AitM) attack. When victims enter their credentials and MFA codes into the proxy, Tycoon 2FA actually passes them on to the legitimate Microsoft or Google service to complete the login confirmation. But the platform intercepts the authentication tokens that the identity service sends back to the victims. Related:Dark Reading Confidential: This Threat Hunter Helped Cops Bust Up An African Cybercrime Syndicate "Unlike traditional phishing kits that simply steal static passwords, Tycoon 2FA relayed authentication prompts in real-time to capture live session tokens and cookies," Cloudflare explained in a research brief on the takedown. "This technical maneuver allowed attackers to inherit a fully authenticated session, effectively rendering SMS codes, authenticator apps, and push notifications useless." An attacker can then import the stolen session tokens into their browser, bypassing MFA and taking control of the victim's account. Cloudflare also noted that cybercriminals frequently used Tycoon 2FA for business email compromise (BEC) campaigns. "By leveraging hijacked session tokens, attackers embedded themselves within corporate email environments to monitor internal communications and financial workflows," the company said. "From here, attackers could send legitimate-looking invoices from the compromised account to a third-party partner or vendor." Phishing-Resistant MFA as a Key Defense Tycoon 2FA first emerged in 2023 and was sold via Telegram, initially through the “Saad Tycoon Group” channel, according to Proofpoint, which was one of several private sector partners that assisted with the takedown. For approximately $120, threat actors could use the platform for a limited time to quickly spin up an effective phishing campaign. Related:China's Silver Dragon Razes Governments in EU, SE Asia Tycoon 2FA isn't the only PhaaS platform that boasts effective MFA bypasses. Other offerings, such the "VoidProxy" platform and the more recently discovered "Starkiller" tool, use similar approaches to capture session tokens. But Tycoon 2FA had more going for it than just its ability to defeat MFA protections. Selena Larson, staff threat researcher at Proofpoint, tells Dark Reading that the platform was very popular because it was regularly updated and offered capabilities that made it simple for even unskilled hackers to use. "The ease of use contributed to its popularity. It also featured anti-analysis techniques like obfuscation, heavy filtering, and CAPTCHAs that were designed to make it harder for researchers and sandboxes to track and identify," Larson says. "The regular updates to the codebase meant that researchers had to stay on top of detection to identify new campaigns as soon as they emerged in the landscape and potentially write new tooling to detect it." Still, Tycoon 2FA's claim to fame is that it highlighted a weakness in traditional MFA systems that could be exploited by AitM attacks. Therefore, vendors like Cloudflare, Proofpoint, and others that assisted with the takedown operation have encouraged organizations to shift to phishing-resistant MFA schemes, such as those that use FIDO 2-based hardware keys or passkeys. Larson says its difficult to determine how many companies have implemented these measures during Tycoon 2FA's run over the past three-plus years. However, she says, in general, it seems more organizations are adopting phishing-resistant MFA. "And if they haven't yet, they should consider it," she says. "Things like physical keys and phishing-resistant multifactor authentication enabled via conditional access policies can be a great protection against MFA-targeted phishing." Trend Micro, which also assisted with the takedown operation, noted in a blog post that the work isn't done. "Operators have always been known to adapt, rebuild, and migrate to new infrastructure," Trend Micro researchers wrote in a blog post. "Known and suspected users of Tycoon 2FA can attempt to continue operations, and previously stolen credentials and session cookies remain in circulation." As a result, Trend Micro and other participating partners will continue monitoring for Tycoon 2FA activity and gather intelligence on potential comeback efforts. Other private sector partners included in this operation are Coinbase, Intel471, the Shadowserver Foundation and SpyCloud. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE MITRE EMB3D for OT & ICS Threat Modeling Takes Flight by Robert Lemos, Contributing Writer MAR 07, 2025 Editor's Choice THREAT INTELLIGENCE As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks byElizabeth Montalbano MAR 3, 2026 6 MIN READ ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking byJai Vijayan MAR 3, 2026 3 MIN READ СLOUD SECURITY AI Agent Overload: How to Solve the Workload Identity Crisis byAlexander Culafi MAR 3, 2026 4 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, new