Police dismantle major phishing platform blamed for attacks on hospitals and schools

Steven

Police dismantle major phishing platform blamed for attacks on hospitals and schools

Summary

International law enforcement agencies have dismantled “Tycoon 2FA”, a large phishing-as-a-service platform that since 2023 enabled attackers to steal credentials and bypass multi-factor authentication by intercepting authentication sessions and one-time codes in real time. Authorities seized 330 domains used to host phishing pages and run the platform, which sent tens of millions of phishing emails per month and targeted more than 500,000 organisations worldwide. Healthcare and education were among the hardest hit, with Microsoft reporting over 100 Health-ISAC members phished and multiple hospitals, schools and universities affected. The takedown aims to disrupt a major pipeline that fuelled account takeovers, ransomware, business email compromise and financial fraud.

Key Points

  • Tycoon 2FA was a subscription phishing service designed to defeat strong security controls, including MFA, by capturing credentials and one-time codes in real time.
  • Law enforcement seized 330 domains and replaced them with a splash page as part of a coordinated international disruption.
  • The platform was active since 2023 and reportedly sent tens of millions of phishing emails each month, targeting over 500,000 organisations.
  • Healthcare and education sectors suffered significant impact: Microsoft said more than 100 Health-ISAC members were successfully phished; several hospitals, public schools and universities in New York reported compromises or attempts.
  • At its peak, Tycoon 2FA accounted for roughly 62% of phishing attempts blocked by Microsoft, highlighting its scale.
  • Authorities believe the developer operated from Pakistan and that the service was marketed alongside other criminal services for mass mailing, malware hosting and resale of stolen access.

Why should I read this?

Because this was a huge, industrial-scale toolkit that let crooks sidestep MFA and hit critical services like hospitals and schools. The takedown matters — it cuts off a major criminal pipeline — but it’s not the end of the story. If you manage systems, handle sensitive data, or worry about account takeovers, you’ll want to know what changed and what to check next.

Context and relevance

Phishing-as-a-service and MFA-bypass tools commoditise sophisticated attacks, lowering the technical bar for criminals and increasing risk to organisations that rely on single-layer defences. The Tycoon 2FA disruption shows that international cooperation can be effective at removing infrastructure, yet operators often pivot quickly. Organisations in healthcare, education and any sector holding sensitive data should review MFA implementation (prefer phishing-resistant methods where possible), tighten monitoring for account takeovers, and reinforce staff awareness of OTP/session interception techniques.

Source

Source: https://therecord.media/police-dismantle-tycoon-2fa-phishing-platform