Coinbase, Microsoft & Europol Dismantle Tycoon 2FA Phishing Network

A coordinated global operation led by Coinbase, Microsoft, and Europol has successfully dismantled the Tycoon 2FA phishing-as-a-service (PhaaS) network. This takedown, executed on March 4, 2026, disrupted one of the most pervasive tools used to bypass multi-factor authentication (MFA), safeguarding hundreds of thousands of organizations from credential theft and account compromise.

Disrupting a Sophisticated Phishing Network

Tycoon 2FA, active since at least August 2023, enabled cybercriminals to bypass MFA by intercepting session cookies and authentication tokens. The platform provided phishing templates and control panels that captured credentials in real time, granting unauthorized access to services like Microsoft 365, Outlook, and Gmail .

Microsoft’s Digital Crimes Unit secured a court order from the U.S. District Court for the Southern District of New York, enabling the seizure of 330 active domains that formed the core infrastructure of Tycoon 2FA—including phishing pages and backend control panels . Europol’s Cyber Intelligence Extension Programme (CIEP) facilitated cross-border coordination, involving law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the UK .

Coinbase played a critical role by tracing cryptocurrency transactions that funded Tycoon 2FA. This blockchain analysis helped identify the platform’s alleged administrator, Saad Fridi, believed to be based in Pakistan .

Scale and Reach of the Tycoon 2FA Operation

Tycoon 2FA was among the most dominant phishing platforms globally. By mid-2025, it accounted for approximately 62% of phishing attempts blocked by Microsoft, including over 30 million emails in a single month . The platform sent tens of millions of fraudulent emails monthly, targeting more than 500,000 organizations worldwide .

Europol estimates that Tycoon 2FA affected nearly 100,000 organizations, including schools, hospitals, and public institutions . In October 2025 alone, Microsoft blocked over 13 million malicious emails linked to Tycoon 2FA .

Why This Takedown Matters

Protecting Organizations and Individuals

By dismantling Tycoon 2FA’s infrastructure, the operation cuts off a major pipeline for credential theft and account takeovers. According to Microsoft, this disruption helps protect against follow-on attacks such as data theft, ransomware, business email compromise, and financial fraud .

Raising the Barrier for Cybercriminals

Tycoon 2FA lowered the technical barrier for launching sophisticated phishing campaigns. Its removal forces criminals to rebuild and retool, increasing their operational risk and cost .

Demonstrating Effective Collaboration

The takedown exemplifies successful collaboration between public and private sectors. Europol’s coordination, Microsoft’s legal action, Coinbase’s blockchain tracing, and contributions from cybersecurity firms like Cloudflare, Proofpoint, Intel471, TrendAI, Resecurity, SpyCloud, Shadowserver, eSentire, Crowell, and Health-ISAC highlight a unified response to cybercrime .

Broader Context and Evolution of Tycoon 2FA

Rapid Expansion and Sophistication

DNSFilter research in mid-2025 revealed that Tycoon 2FA had expanded its infrastructure, including a surge in Spanish (.es) domains and advanced obfuscation techniques like nested encoding and Base91 encryption . Cybernews reported that Tycoon 2FA attacks in early 2025 accounted for 89% of PhaaS attempts, with upgraded scripts using Caesar cipher encryption and browser fingerprinting .

Technical Evasion and Targeting

An advisory from Pakistan’s NCERT highlighted Tycoon 2FA’s use of HTML5-based CAPTCHAs and SVG script injection to bypass MFA protections on Gmail and Microsoft accounts . These techniques enabled attackers to exfiltrate credentials and tokens even from accounts with active 2FA.

Future Implications and Challenges

Persistent Threat of PhaaS Platforms

Despite this disruption, Europol warns that phishing-as-a-service platforms remain a persistent threat. Similar kits can quickly emerge to fill the void left by Tycoon 2FA .

Need for Ongoing Vigilance

Organizations must strengthen email security configurations—such as enforcing strict DMARC, SPF, and disabling unnecessary connectors—to mitigate phishing risks . Continuous monitoring and threat intelligence sharing are essential.

Legal and Technical Preparedness

The success of this operation underscores the importance of legal mechanisms and technical readiness. Future takedowns will benefit from the frameworks and partnerships established through this effort.

Conclusion

The takedown of Tycoon 2FA by Coinbase, Microsoft, and Europol marks a significant victory in the fight against phishing-as-a-service platforms. By dismantling a tool that enabled widespread MFA bypass and credential theft, the operation protects hundreds of thousands of organizations and raises the operational cost for cybercriminals. The collaboration between law enforcement, private sector partners, and blockchain tracing experts demonstrates a powerful model for future cybercrime disruption. However, the threat landscape remains dynamic—ongoing vigilance, technical defenses, and international cooperation are vital to prevent the rise of the next Tycoon 2FA.

Frequently Asked Questions

What was Tycoon 2FA?

Tycoon 2FA was a phishing-as-a-service platform active since August 2023. It enabled cybercriminals to bypass multi-factor authentication by intercepting session cookies and authentication tokens, targeting services like Microsoft 365, Outlook, and Gmail .

Who led the takedown operation?

The operation was led by Microsoft’s Digital Crimes Unit, Europol’s Cyber Intelligence Extension Programme, and Coinbase. It also involved cybersecurity firms such as Cloudflare, Proofpoint, TrendAI, Intel471, Resecurity, SpyCloud, Shadowserver, eSentire, Crowell, and Health-ISAC .

How many domains were seized?

Authorities seized 330 active domains linked to Tycoon 2FA, including phishing pages and control panels .

What role did Coinbase play?

Coinbase traced cryptocurrency payments that funded Tycoon 2FA, helping identify the platform’s alleged administrator, Saad Fridi, believed to be based in Pakistan .

How widespread was the impact of Tycoon 2FA?

Tycoon 2FA sent tens of millions of phishing emails monthly, targeting over 500,000 organizations. It accounted for roughly 62% of phishing attempts blocked by Microsoft by mid-2025 and affected nearly 100,000 organizations globally .

Will similar phishing platforms emerge?

Yes. Europol warns that phishing-as-a-service platforms remain a persistent threat, and similar tools could quickly emerge to replace Tycoon 2FA .