Phishing-as-a-service platforms have industrialized credential theft by removing the technical barrier to entry — Tycoon 2FA represented that model operating at its most expansive scale. A coordinated law enforcement and private sector operation has now dismantled it.
According to the announcement, Europol led the takedown of Tycoon 2FA, a subscription-based phishing kit that first appeared in August 2023 and grew into what the agency described as one of the largest phishing operations worldwide. The operation resulted in the seizure of 330 domains used to host phishing pages and control panels that formed the service’s operational backbone.
The platform’s alleged primary developer, Saad Fridi, is said to be based in Pakistan. The kit was sold through Telegram and Signal starting at $120 for 10 days of access, or $350 for a month of access to a web-based administration panel. That panel gave paying operators pre-built lure templates, domain and hosting configuration tools, redirect logic, victim tracking, and near-real-time credential forwarding to Telegram — effectively a full campaign management suite requiring minimal technical skill.
Scale and Reach
The figures attached to Tycoon 2FA’s activity are precise and substantial. Intel 471 linked the kit to over 64,000 phishing incidents and tens of thousands of domains. Microsoft, which tracks the operators under the designation Storm-1747, identified the platform as the most prolific phishing service it observed in 2025, blocking more than 13 million malicious emails linked to the service in October 2025 alone. By mid-2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts blocked by the company, with more than 30 million emails intercepted in a single month.
The service reached over 500,000 organizations each month worldwide and is linked to an estimated 96,000 distinct phishing victims since 2023, including more than 55,000 Microsoft customers. Europol stated the platform facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions. Proofpoint observed over three million messages associated with the kit in February 2026 alone. Trend Micro, a private sector partner in the operation, estimated the platform had approximately 2,000 active users.
Microsoft said the overwhelming majority of targeted accounts were enterprise-managed or associated with paid domains, indicating the service was directed at business environments rather than individual consumers. The kit impersonated sign-in pages for Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail.
More Read
Technical Architecture
The platform executed adversary-in-the-middle attacks by intercepting session cookies during authentication, simultaneously capturing credentials and relaying MFA codes through its own proxy servers to the legitimate authenticating service. This mechanism allowed threat actors to maintain persistent access even after password resets, unless active sessions and tokens were explicitly revoked.
To evade detection, Tycoon 2FA employed keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages. The infrastructure was hosted on Cloudflare using a broad mix of top-level domains and short-lived fully qualified domain names, a deliberate architectural choice to complicate takedown efforts and extend operational lifespan between interventions.
Photo by Tima Miroshnichenko on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
