A coalition of tech companies and law enforcement, including Coinbase, has taken down the core infrastructure of Tycoon 2FA, a major phishing-as-a-service operation that provided tools to bypass multi-factor authentication (MFA).
Europol announced the coordinated action, noting Microsoft blocked 330 domains tied to the platform while law enforcement seized other critical infrastructure. Coinbase said it assisted by tracing blockchain-related transactions that funded Tycoon 2FA, which helped identify the phishing platform’s alleged administrator and buyers. Coinbase added that removing Tycoon’s core systems “cuts off a major pipeline for credential theft and initial access, and forces criminals to rebuild, retool, and take on more risk.”
Phishing was flagged as the second-largest threat to crypto in 2025 by blockchain security firm CertiK, which reported $722 million lost across 248 incidents. Security firms including PeckShield have emphasized that phishing remained a persistent threat into 2026.
Tycoon’s toolkit included spoofed landing pages that harvested user credentials on legitimate sites and captured session cookies and tokens, allowing attackers to bypass MFA. When a user completes MFA, the system generates a session token stored in the browser; if stolen, that token can be replayed to fool the service and grant access without re-authenticating. Coinbase warned that combining convincing lures with session-token theft makes phishing a reliable on-ramp to larger crimes such as account takeovers, business email compromise, invoice fraud, and social engineering.
Microsoft’s Digital Crimes Unit said Tycoon had been active since at least 2023 and by mid-2025 was responsible for about 62% of the phishing attempts Microsoft blocked, including more than 30 million emails in a single month. By lowering the technical barrier to entry, the platform enabled criminals with limited skills to run sophisticated impersonation campaigns.
Victims spanned industries from healthcare to education, resulting in rerouted invoices, stolen sensitive data, locked networks, and disruptions to patient care. Authorities and private partners said taking Tycoon offline should reduce account takeovers and protect organizations from follow-on attacks such as data theft, ransomware, business email compromise, and financial fraud.
The action illustrates a growing public-private effort to disrupt criminal infrastructure, combining domain takedowns, infrastructure seizures, and financial tracing to dismantle services that enable large-scale phishing and MFA bypass. Cointelegraph notes this reporting follows its editorial policy and encourages independent verification of facts.