Europol, Microsoft, TrendAI™ and Collaborators Halt Tycoon 2FA Operations
Europol, Microsoft, TrendAI™ and Collaborators Halt Tycoon 2FA Operations
- The operations of phishing-as-a-service (PhaaS) platform Tycoon 2FA was taken offline this week by the combined effort of law enforcement that includes Europol and other partner agencies, as well as private industry organizations including CloudFlare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Microsoft, Proofpoint, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI™. Experts from Trend AI™ supported the operation with threat intelligence, infrastructure mapping, and actor attribution.
- Tycoon 2FA uses adversary-in-the-middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time. The subscription model offered by the service lowers the barrier to entry for criminals by removing the need to build infrastructure, develop tooling, or understand the mechanics of AitM attacks.
- Tycoon 2FA operations highlight that traditional MFA without phishing-resistant protections can be bypassed via AitM attacks and how PhaaS campaigns can have cascading impact well beyond the original victim, as stolen sessions and accounts can be reused, resold, and repurposed.
- This blog offers solutions and recommendations to help organizations defend against phishing attacks. TrendAI™ continues to monitor for the resurfacing of the service and will support ongoing law enforcement efforts, including further investigation of known users to protect customers.
A coordinated disruption effort seized this week the infrastructure tied to the operations of phishing-as-a-service (PhaaS) Tycoon 2FA. Over 300 domains tied to Tycoon 2FA were seized in an operation led by Microsoft and Europol and supported by other law enforcement agencies, as well as private organizations such as CloudFlare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI™.
Researchers from TrendAI™ have been tracking the infrastructure, as well as the campaigns and operator behaviors that can be linked to Tycoon 2FA to build a clearer picture of how its services was being used at scale. By November 2025, TrendAI™ had collected enough data to link the operation to an actor using the monikers “SaaadFridi” and “Mr_Xaad”, likely the developer/operator of Tycoon 2FA.
Historical activity showed this actor previously focused on web defacements before moving into building and running this phishing toolkit. Intelligence gathered by TrendAI™ also included details on tooling, infrastructure, and activity patterns, which was shared with Europol to support law enforcement action.
Tycoon 2FA first appeared in August 2023 as a PhaaS kit designed to bypass multi-factor authentication (MFA). Aside from stealing usernames and passwords, it also uses an adversary-in-the-middle (AitM) proxy that sits between the victim and the real log in page, allowing it to capture credentials, MFA codes, and session cookies in real time. Attackers can then replay those session cookies to take over accounts even when MFA is enabled.
The PhaaS platform has approximately 2,000 users as of writing. Research and monitoring show that it has used over 24,000 domains since it first appeared in 2023. Its kit has been reported by Proofpoint to have been used in large-scale campaigns targeting Microsoft 365 and Google.
Tycoon 2FA stood out as a platform for its scale and accessibility: its ready-to-use phishing toolkit provided attackers with fake login pages, a proxy layer, and basic campaign tooling with minimal setup required. Newer versions have added simple evasion features to deter bots and hinder analysis, making detection and takedown efforts more difficult. These service features and modifications fit into a broader trend where phishing kits are becoming cheaper, more accessible, and easier to operate even for low-skill attackers.
About Author
.jpg "Cybersecurity’s Fundamental Flaw: It’s Still an Open-Loop System")
