A coordinated international operation involving Coinbase, Microsoft, and Europol has disrupted Tycoon 2FA, a large phishing-as-a-service platform used by cybercriminals to bypass multi-factor authentication (MFA) and gain unauthorized access to online accounts.
The announced targeted the infrastructure powering the service, taking down 330 domains that hosted phishing pages and administrative control panels used by attackers. The disruption followed collaboration between law enforcement agencies and private cybersecurity partners coordinated by Europol’s European Cybercrime Centre.
Global Phishing Infrastructure Dismantled
Tycoon 2FA operated as a subscription-based toolkit that allowed criminals to run phishing campaigns capable of capturing login credentials and authentication data in real time.
The platform intercepted live authentication sessions and collected session cookies or tokens, allowing attackers to bypass MFA protections and access accounts without triggering additional security checks.
Authorities said the service had been active since at least August 2023 and had grown into one of the largest phishing operations globally. It enabled thousands of cybercriminals to infiltrate email and cloud accounts belonging to organizations across multiple sectors.
At its peak, the infrastructure generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations worldwide, including schools, hospitals, and public institutions. By mid-2025, Tycoon 2FA was responsible for around 62% of all phishing attempts blocked by Microsoft’s systems, highlighting the scale of its operations.
Joint Public-Private Investigation
The disruption stemmed from intelligence initially shared by cybersecurity firm Trend Micro. Investigators then coordinated a broader effort through Europol’s cybercrime networks and advisory groups.
Technical disruption of the platform’s infrastructure was led by Microsoft with assistance from industry partners including Cloudflare, Proofpoint, and Shadowserver Foundation.
Law enforcement authorities in several countries carried out operational actions to seize infrastructure linked to the network. These included agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom, where the National Crime Agency participated in the operation.
Europol coordinated the investigation through its Cyber Intelligence Extension Programme, which allows private-sector experts to work alongside investigators in tackling cybercrime threats.
Coinbase Traced Crypto Payments
Coinbase’s global intelligence team played a key role in tracking the financial activity behind the operation. Analysts traced cryptocurrency payments used to fund Tycoon 2FA’s subscription service, helping investigators map connections between the platform’s operator and its customers.
The exchange said its analysis contributed to identifying the suspected administrator of the service, Saad Fridi, believed to be based in Pakistan.
Microsoft later filed a civil action that enabled court-authorized domain seizures, removing key components of the phishing infrastructure and taking Tycoon’s control panels offline.
Ongoing Efforts Against Phishing Services
Authorities say dismantling Tycoon 2FA removes a major tool used for credential theft and account takeover attacks. However, investigators warn that similar phishing-as-a-service platforms continue to emerge, lowering the technical barriers for cybercriminals.
The operation highlights the growing reliance on cooperation between technology firms, crypto analytics teams, and law enforcement agencies to disrupt cybercrime networks that operate across jurisdictions.
