TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Application Security Xygeni GitHub Action Compromised Via Tag Poison Xygeni GitHub Action Compromised Via Tag Poison by Alexander Culafi Mar 11, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyber Risk Identity & Access Management Security Endpoint Security News Tycoon 2FA Goes Boom as Europol, Vendors Bust Phishing Platform The phishing-as-a-service platform was popular among cyber threat actors because of its ability to bypass multifactor authentication defenses. Rob Wright , Senior News Director , Dark Reading March 5, 2026 5 Min Read Source: Martyn Vickery via Alamy Stock Photo One of the most widely used and effective phishing platforms on the threat landscape has been taken down — at least for now. Europol and several private sector partners, including Microsoft, Trend Micro, and Cloudflare, disrupted the Tycoon 2FA phishing-as-a-service (PhaaS) platform this week in an international operation. In coordination with Europol's Cyber Intelligence Extension Programme (CIEP), Microsoft seized 330 domains that composed the platform's user control panels and fake login pages. Law enforcement agencies, meanwhile, seized Tycoon 2FA infrastructure and conducted other operational measures in Latvia, Lithuanian, Portugal, Poland, Spain, and the UK, according to Europol. The takedown effort disrupts one of the largest and most popular PhaaS platforms in the world, which has been a considerable thorn in the side of security teams since it was first observed in 2023. "By mid‑2025, Tycoon 2FA accounted for approximately 62 percent of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally," Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post . Related: The Data Gap: Why Nonprofit Cyber Incidents Go Underreported Masada added that Tycoon 2FA is connected to an estimated 96,000 distinct phishing victims since its inception, including more than 55,000 Microsoft customers. How Tycoon 2FA Works Phishing kits and PhaaS platforms have for years streamlined and democratized phishing attacks for mid- to low-skilled hackers by providing them with a suite of tools to create authentic-looking emails and phishing pages that unsuspecting victims will engage with. For a relatively modest fee, budding cybercriminals can subscribe to these services and churn out a higher volume of more convincing attacks. Like other, newer PhaaS platforms, Tycoon 2FA took the model a step further with advanced defense-evasion techniques, most notably a multifactor authentication (MFA) bypass system that has proven to be quite effective. Instead of using a fake landing page designed to look like a real Microsoft 365 or Google login portal, Tycoon 2FA proxies the real pages to victims in an adversary-in-the-middle (AitM) attack. When victims enter their credentials and MFA codes into the proxy, Tycoon 2FA actually passes them on to the legitimate Microsoft or Google service to complete the login confirmation. But the platform intercepts the authentication tokens that the identity service sends back to the victims. Related: Iran MOIS Colludes With Criminals to Boost Cyberattacks "Unlike traditional phishing kits that simply steal static passwords, Tycoon 2FA relayed authentication prompts in real-time to capture live session tokens and cookies," Cloudflare explained in a research brief on the takedown. "This technical maneuver allowed attackers to inherit a fully authenticated session, effectively rendering SMS codes, authenticator apps, and push notifications useless." An attacker can then import the stolen session tokens into their browser, bypassing MFA and taking control of the victim's account. Cloudflare also noted that cybercriminals frequently used Tycoon 2FA for business email compromise (BEC) campaigns. "By leveraging hijacked session tokens, attackers embedded themselves within corporate email environments to monitor internal communications and financial workflows," the company said. "From here, attackers could send legitimate-looking invoices from the compromised account to a third-party partner or vendor." Phishing-Resistant MFA as a Key Defense Tycoon 2FA first emerged in 2023 and was sold via Telegram , initially through the “Saad Tycoon Group” channel, according to Proofpoint, which was one of several private sector partners that assisted with the takedown. For approximately $120, threat actors could use the platform for a limited time to quickly spin up an effective phishing campaign. Related: Commercial Spyware Opponents Fear US Policy Shifting Tycoon 2FA isn't the only PhaaS platform that boasts effective MFA bypasses. Other offerings, such the " VoidProxy " platform and the more recently discovered " Starkiller " tool, use similar approaches to capture session tokens. But Tycoon 2FA had more going for it than just its ability to defeat MFA protections. Selena Larson, staff threat researcher at Proofpoint, tells Dark Reading that the platform was very popular because it was regularly updated and offered capabilities that made it simple for even unskilled hackers to use. "The ease of use contributed to its popularity. It also featured anti-analysis techniques like obfuscation, heavy filtering, and CAPTCHAs that were designed to make it harder for researchers and sandboxes to track and identify," Larson says. "The regular updates to the codebase meant that researchers had to stay on top of detection to identify new campaigns as soon as they emerged in the landscape and potentially write new tooling to detect it." Still, Tycoon 2FA's claim to fame is that it highlighted a weakness in traditional MFA systems that could be exploited by AitM attacks. Therefore, vendors like Cloudflare, Proofpoint, and others that assisted with the takedown operation have encouraged organizations to shift to phishing-resistant MFA schemes, such as those that use FIDO 2-based hardware keys or passkeys. Larson says its difficult to determine how many companies have implemented these measures during Tycoon 2FA's run over the past three-plus years. However, she says, in general, it seems more organizations are adopting phishing-resistant MFA. "And if they haven't yet, they should consider it," she says. "Things like physical keys and phishing-resistant multifactor authentication enabled via conditional access policies can be a great protection against MFA-targeted phishing." Trend Micro, which also assisted with the takedown operation, noted in a blog post that the work isn't done. "Operators have always been known to adapt, rebuild, and migrate to new infrastructure," Trend Micro researchers wrote in a blog post . "Known and suspected users of Tycoon 2FA can attempt to continue operations, and previously stolen credentials and session cookies remain in circulation." As a result, Trend Micro and other participating partners will continue monitoring for Tycoon 2FA activity and gather intelligence on potential comeback efforts. Other private sector partners included in this operation are Coinbase, Intel471, the Shadowserver Foundation and SpyCloud. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob Wright More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity For