A coordinated operation by law enforcement and tech companies, including Coinbase, has taken down the core infrastructure of Tycoon 2FA, a prominent phishing-as-a-service operation that enabled attackers to bypass multi-factor authentication (MFA).
Europol announced the action, saying Microsoft blocked 330 domains linked to the platform while authorities seized additional infrastructure. Coinbase said its blockchain transaction tracing helped identify the platform’s alleged administrator and customers by following funds tied to Tycoon 2FA. Coinbase added that removing Tycoon’s central systems disrupts a major pipeline for credential theft and initial access, forcing criminals to rebuild and take greater risks.
Security firms have emphasized the scope and persistence of phishing threats. Blockchain security firm CertiK ranked phishing as the second-largest crypto threat in 2025, reporting $722 million lost across 248 incidents. Firms such as PeckShield warned that phishing remained a significant problem into 2026.
Tycoon provided attackers with spoofed landing pages that harvested credentials on legitimate sites and captured session cookies and tokens. Because web services often store session tokens in the browser after MFA is completed, stolen tokens can be replayed to grant access without re-authentication. Coinbase warned that pairing convincing lures with session-token theft makes phishing a reliable entry point for larger crimes, including account takeovers, business email compromise, invoice fraud, and social engineering.
Microsoft’s Digital Crimes Unit said Tycoon was active at least since 2023 and by mid-2025 accounted for about 62% of the phishing attempts Microsoft blocked, including more than 30 million malicious emails in a single month. By lowering the technical barrier to entry, the service allowed less skilled criminals to run sophisticated impersonation campaigns.
Victims came from sectors including healthcare and education, with consequences such as rerouted invoices, stolen sensitive data, locked networks, and disrupted patient care. Authorities and private partners said taking Tycoon offline should reduce account takeovers and protect organizations from follow-on attacks like data theft, ransomware, BEC, and financial fraud.
The operation highlights a growing public-private approach to disrupting criminal infrastructure, blending domain takedowns, infrastructure seizures, and financial tracing to dismantle services that enable large-scale phishing and MFA bypass. Media reports covering the action have encouraged independent verification of specific details.