Tycoon 2FA Goes Boom as Europol, Vendors Bust Phishing Platform
Summary
Europol, working with private-sector partners including Microsoft, Trend Micro and Cloudflare, disrupted the Tycoon 2FA phishing-as-a-service platform and seized 330 domains used for attacker control panels and fake login pages. Law enforcement actions in several European countries accompanied the domain seizures. Tycoon 2FA — active since 2023 — used an adversary-in-the-middle proxy to capture live session tokens and cookies, enabling attackers to bypass multifactor authentication (MFA) and carry out widespread business email compromise (BEC) campaigns. Microsoft says Tycoon 2FA accounted for roughly 62% of phishing attempts it blocked by mid‑2025 and is tied to an estimated 96,000 victims. Vendors warn the threat can reappear and stress adoption of phishing‑resistant MFA such as FIDO2/passkeys.
Key Points
- Europol and partners disrupted Tycoon 2FA and Microsoft seized 330 domains used by the platform.
- Tycoon 2FA used an AitM proxy to relay credentials and capture live session tokens, effectively bypassing SMS, authenticator apps and push MFA.
- Microsoft estimated Tycoon 2FA was responsible for ~62% of phishing attempts it blocked by mid‑2025 and linked to about 96,000 victims, including 55,000+ Microsoft customers.
- Attackers leveraged stolen session tokens for BEC — sending legitimate-looking invoices and abusing corporate email flows.
- Vendors urge migration to phishing‑resistant MFA (FIDO2/passkeys, hardware keys) and continued monitoring, because operators can adapt and stolen session data remains in circulation.
Content Summary
Phishing kits and PhaaS services lower the barrier to entry for criminals; Tycoon 2FA advanced that model by relaying live authentication flows to capture session cookies and tokens. Rather than just stealing passwords, the platform proxied real Microsoft/Google login pages and forwarded MFA prompts in real time so attackers could inherit authenticated sessions. That technique rendered conventional MFA forms ineffective.
The takedown included operational measures across Latvia, Lithuania, Portugal, Poland, Spain and the UK, with private-sector intelligence and domain seizures coordinated through Europol’s Cyber Intelligence Extension Programme (CIEP). Proofpoint, Cloudflare, Trend Micro, Coinbase, Intel471, Shadowserver and SpyCloud were among the contributors.
While the disruption is meaningful, vendors caution it is not final: threat actors can rebuild, migrate infrastructure or reuse previously stolen credentials and session cookies. Continued detection, monitoring and adoption of phishing‑resistant authentication remain critical.
Context and Relevance
This is a significant development in the ongoing fight against PhaaS and MFA‑bypass techniques. Tycoon 2FA’s impact — as measured by Microsoft blocking millions of messages and the platform’s share of phishing attempts — shows how effective AitM proxies are at defeating common MFA methods. The takedown highlights the growing industry shift toward phishing‑resistant authentication standards (FIDO2, passkeys, hardware security keys) and the need for stronger conditional access policies.
For organisations, the story underlines two trends: (1) phishing threats are increasingly commoditised and technically sophisticated; (2) defensive posture must move beyond SMS/OTP and one‑time codes to cryptographic, phishing‑resistant methods and proactive hunting for stolen session tokens and signs of account takeover.
Why should I read this?
Short answer: because if you care about stopping scammers from ghosting past your MFA, this is where the problem lives. We skimmed the technical bits and pulled out what you need to know — domain seizures happened, Tycoon used AitM to steal live tokens, and the fix is stronger, phishing‑resistant MFA plus active monitoring. Nice and sharp — read the full piece if you want the citations and vendor quotes.
Author note
Punchy take: this takedown matters. Tycoon 2FA was a major supplier of MFA‑bypass tooling — treat it as a wake-up call. If you haven’t started rolling out FIDO2/passkeys or checking for session‑cookie reuse, make it a priority.