A coalition including Coinbase, Microsoft, and Europol has dismantled the core infrastructure of Tycoon 2FA, a phishing-as-a-service platform that sold tools enabling criminals to bypass multi-factor authentication at scale.
Europol announced Wednesday that Microsoft blocked 330 domains linked to the platform, while law enforcement agencies seized additional key infrastructure. Coinbase contributed by tracing blockchain transactions used to fund Tycoon 2FA’s operations, which helped identify the platform’s alleged administrator and buyers.
What Tycoon 2FA Actually Did
The platform gave low-skill criminals access to high-quality attack tooling. Its kit included spoofed landing pages designed to harvest user credentials from legitimate-looking websites, combined with session cookie and token theft to sidestep MFA protections entirely.
When a user logs in with MFA, the system generates a session token stored in the browser as proof of authentication. Tycoon’s tools intercepted that token, allowing attackers to impersonate an already-authenticated user without ever needing the original password or one-time code.
“That combination, high-fidelity lures plus session-token theft, turns phishing into a reliable on-ramp for bigger crimes like account takeovers, business email compromise, invoice fraud, and follow-on social engineering,” Coinbase said in a statement.
The Scale of the Operation
Tycoon 2FA has been active since at least 2023. By mid-2025, it accounted for 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month.
More Read
Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, described the platform as “among the largest phishing operations globally.” He noted that by lowering the technical barrier to entry, Tycoon enabled criminals with limited expertise to run sophisticated impersonation campaigns targeting organizations across healthcare, education, and other sectors.
The downstream damage was real. Masada cited rerouted invoices, stolen sensitive data, locked networks, and disruptions to patient care as direct consequences of attacks enabled by the platform.
Why the Takedown Matters
Coinbase framed the disruption in practical terms. “Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and initial access, and forces criminals to rebuild, retool, and take on more risk,” the company said.
The broader phishing threat in crypto remains significant. Blockchain security firm CertiK flagged phishing as the second-largest threat in 2025, tracking $722 million in losses across 248 incidents. A spokesperson for PeckShield described phishing as a “persistent threat” still active in 2026.
Tycoon’s business model reflected a wider shift in cybercrime toward packaged, subscription-style attack services that commoditize sophisticated techniques. Disrupting the infrastructure does not eliminate the demand, but it forces actors who relied on the platform to start over.
Microsoft’s Masada put it directly: “Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow-on attacks such as data theft, ransomware, business email compromise, and financial fraud.”
Disclaimer: The information provided in this article is for educational and informational purposes only and does not constitute financial or investment advice.
Photo by Agence Olloweb on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
