Global phishing-as-a-service crackdown targets tycoon 2fa in major cybersecurity operation

In a coordinated strike against organized online fraud, investigators and security firms moved this week to disrupt tycoon 2fa and its sprawling phishing infrastructure.

Coalition dismantles massive phishing platform

A joint operation by Coinbase, Microsoft, and Europol dismantled the core infrastructure of the Tycoon 2FA phishing-as-a-service platform, the companies announced Wednesday. The takedown targeted what authorities describe as one of the world’s largest commercial phishing operations, which had been active since at least 2023.

Moreover, investigators say the service industrialized credential theft by selling subscription-based toolkits to criminals. These packages enabled buyers to steal login credentials at scale and systematically bypass multi-factor authentication, turning basic fraud schemes into organized attacks on enterprises worldwide.

By mid-2025, Microsoft data showed that Tycoon-linked campaigns accounted for 62% of all phishing attempts the company blocked. At its peak, the platform generated tens of millions of phishing emails every month, flooding inboxes across regions and sectors.

The operation facilitated unauthorized access attempts against nearly 100,000 organizations globally, including schools, hospitals, and public institutions. However, the scale of the platform meant many campaigns could be launched by low-skilled actors, who simply rented the tools rather than building their own infrastructure.

As part of the takedown, Microsoft blocked 330 domains tied to the service. Law enforcement also seized additional core infrastructure, disrupting the command-and-control systems that coordinated phishing campaigns and handled stolen data.

How Tycoon bypassed multi-factor authentication

Tycoon operated as a professionalized phishing-as a service network. Its toolkit included spoofed landing pages crafted to closely mimic legitimate login portals for enterprise services, financial accounts, and public-sector systems.

When victims entered their credentials, the platform captured session cookies and tokens in real time. Moreover, this approach allowed attackers to hijack authenticated sessions, rather than repeatedly guessing passwords or trying simple brute-force attacks.

A session token theft event is especially dangerous because the token serves as proof the user has already authenticated. If a hacker steals that token, they can reuse it to access the account without triggering multi-factor authentication prompts again, effectively creating a stealthy and persistent foothold.

“That combination — high-fidelity lures plus session-token theft — turns phishing into a reliable on-ramp for bigger crimes like account takeovers, business email compromise, invoice fraud,” Coinbase said in a statement. That said, the company emphasized that coordinated disruption can still meaningfully reduce the attack surface for these operations.

By lowering the technical barrier to entry, the platform allowed criminals with limited skills to run sophisticated campaigns against large organizations. Industries from healthcare to education were affected, resulting in stolen data, rerouted invoices, and even disruptions to patient care as systems were compromised or locked down.

Coinbase and blockchain forensics in the investigation

Coinbase played a central role in the investigation by tracing blockchain transactions used to pay for the service. Moreover, that financial trail helped authorities link pseudonymous wallets to real-world identities connected to the platform’s alleged administrator and several buyers of the toolkits.

“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and forces criminals to rebuild, retool, and take on more risk,” Coinbase said. Investigators viewed this as a chance to increase operational friction for threat actors that had come to rely on the service.

Coinbase also stated that it is actively working to identify people who purchased the platform’s tools and will continue supporting law enforcement efforts worldwide. This kind of coinbase law enforcement cooperation underscores how exchanges and analytics teams now play an essential role in large-scale cybercrime cases.

Phishing was flagged as the second-largest threat to crypto users in 2025 by blockchain security firm CertiK, costing investors $722 million across 248 incidents. However, investigators believe that without recent crackdowns on industrialized phishing networks, those losses could have been even higher.

Broader trends in phishing and MFA attacks

Overall phishing-related losses dropped 83% in 2025 compared to the prior year, according to sector data. Moreover, that decline suggests users, platforms, and regulators are slowly closing some of the most damaging attack vectors that proliferated in 2023 and 2024.

However, attackers have continued to develop increasingly advanced techniques to defeat security measures. Campaigns now frequently target wallet infrastructure, cloud platforms, and enterprise logins, including exploits linked to EIP-7702 and Permit2 signature-based attacks that manipulate transaction approvals.

Security researchers note that tycoon 2fa was part of a broader ecosystem of crimeware services that specialize in multi-factor authentication bypass. These criminal platforms focus on stealing or replaying session artifacts and abusing trust in legitimate sign-in flows, rather than simply stealing static passwords.

A spokesperson from blockchain security firm PeckShield told Cointelegraph that phishing remains a “persistent threat” in 2026, despite the operational impact of recent takedowns. That said, coordinated responses involving exchanges, cloud providers, and cross-border police units are beginning to raise the cost and complexity of running large-scale phishing networks.

In summary, the dismantling of Tycoon 2FA marks a significant win against organized credential theft, but the underlying techniques will continue to evolve. Ongoing collaboration between technology firms, blockchain investigators, and law enforcement will be critical to keeping future phishing-as-a-service operations in check.