Coinbase, Microsoft and Europol Dismantle Tycoon 2FA Crypto Phishing Network

TLDR

• Coinbase, Microsoft, and Europol took down Tycoon 2FA, one of the world’s largest phishing-as-a-service platforms
• Tycoon 2FA accounted for 62% of all phishing attempts blocked by Microsoft by mid-2025, including 30 million emails in one month
• The platform bypassed multi-factor authentication by stealing session cookies and tokens
• Coinbase traced blockchain transactions to help identify the platform’s alleged administrator and buyers
• Phishing losses dropped 83% in 2025, but attackers are using increasingly advanced techniques

A coalition of tech companies and law enforcement took down one of the world’s biggest phishing platforms this week. Coinbase, Microsoft, and Europol announced Wednesday they dismantled the core infrastructure of Tycoon 2FA.

Tycoon 2FA was a phishing-as-a-service platform. It sold subscription-based toolkits that let criminals steal login credentials and bypass multi-factor authentication (MFA).

The platform has been active since at least 2023. By mid-2025, it accounted for 62% of all phishing attempts blocked by Microsoft.

At its peak, Tycoon generated tens of millions of phishing emails every month. It facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions.

Microsoft blocked 330 domains tied to the platform. Law enforcement also seized additional key infrastructure as part of the operation.

How the Platform Bypassed Multi-Factor Authentication

Tycoon’s toolkit included spoofed landing pages designed to look like legitimate websites. When a user logged in, the platform captured their session cookies and tokens.

A session token is proof that a user has already authenticated. If a hacker steals that token, they can use it to access the account without triggering MFA prompts again.

By lowering the technical barrier, Tycoon allowed criminals with limited skills to run sophisticated campaigns. Industries from healthcare to education were affected, resulting in stolen data, rerouted invoices, and disruptions to patient care.

Coinbase’s Role in Tracing Crypto Transactions

Coinbase played a key role by tracing blockchain transactions used to fund the platform. That financial trail helped law enforcement identify the alleged administrator and several buyers.

Coinbase also said it is actively working to identify people who purchased Tycoon’s tools and will continue supporting law enforcement efforts.

Phishing was flagged as the second-largest threat to crypto users in 2025 by blockchain security firm CertiK, costing investors $722 million across 248 incidents.

Overall phishing losses dropped 83% in 2025 compared to the prior year. However, attackers have continued developing advanced techniques, including exploits tied to EIP-7702 and Permit2 signature-based attacks.

A spokesperson from blockchain security firm PeckShield told Cointelegraph that phishing remains a “persistent threat” in 2026.

The post Coinbase, Microsoft and Europol Dismantle Tycoon 2FA Crypto Phishing Network appeared first on CoinCentral.