Full Report
The phishing-as-a-service platform was popular among cyber threat actors because of its ability to bypass multi-factor authentication defenses.
Analysis Summary
# Incident Report: Global Takedown of Tycoon 2FA PhaaS Platform
## Executive Summary
Europol, in collaboration with Microsoft, Trend Micro, and Cloudflare, successfully dismantled the infrastructure of "Tycoon 2FA," a major Phishing-as-a-Service (PhaaS) platform. The platform was primarily used to bypass multi-factor authentication (MFA) and, at its peak, accounted for 62% of all phishing attempts blocked by Microsoft. The operation resulted in the seizure of 330 domains and physical infrastructure across Europe.
## Incident Details
- **Discovery Date:** First observed in 2023
- **Incident Date:** Takedown finalized March 4-5, 2026
- **Affected Organization:** Distributed; millions of individual targets globally
- **Sector:** Cross-sector (Global Phishing Infrastructure)
- **Geography:** Infrastructure seized in Latvia, Lithuania, Portugal, Poland, Spain, and the UK
## Timeline of Events
### Initial Access
- **Date/Time:** 2023–2026 (Operational period)
- **Vector:** Phishing-as-a-Service (PhaaS)
- **Details:** Threat actors used the Tycoon 2FA kit to send massive volumes of emails (up to 30 million/month) directing users to Adversary-in-the-Middle (AiTM) landing pages.
### Lateral Movement
- **Details:** Once credentials and MFA tokens were harvested, attackers gained direct access to user accounts, enabling business email compromise (BEC) and further movement within corporate environments.
### Data Exfiltration/Impact
- **Details:** Theft of session cookies, MFA tokens, and corporate credentials.
### Detection & Response
- **How it was discovered:** Ongoing threat intelligence by Microsoft and cybersecurity vendors identified the platform's footprint in 2023.
- **Response actions taken:**
- Microsoft seized 330 domains related to control panels.
- Europol coordinated law enforcement infrastructure seizures in six countries.
- Cloudflare and Trend Micro provided technical assistance in disrupting the traffic.
## Attack Methodology
- **Initial Access:** Large-scale phishing campaigns.
- **Persistence:** High; the service provided automated kits for maintaining phish-kits.
- **Defense Evasion:** Used Adversary-in-the-Middle (AiTM) techniques to proxy legitimate login pages.
- **Credential Access:** Harvested login credentials and session tokens in real-time.
- **Impact:** Enabled unauthorized access to restricted environments despite MFA protections.
## Impact Assessment
- **Financial:** Extremely high for victims; platform facilitated global BEC and financial fraud.
- **Data Breach:** Compromise of millions of corporate and personal credentials.
- **Operational:** Significant disruption to the "Tycoon" service delivery and its criminal subscribers.
- **Reputational:** High; Tycoon 2FA was a dominant force in the PhaaS market.
## Indicators of Compromise
- **Network indicators:** 330 seized domains (e.g., [subdomain].tycoon[.]io - *representative example*)
- **Behavioral indicators:** Redirects to surrogate login pages that proxy traffic to legitimate services (Microsoft/Google) while capturing tokens.
## Response Actions
- **Containment measures:** Domain seizures and DNS sinking.
- **Eradication steps:** Physical seizure of servers and hosting infrastructure by Europol.
- **Recovery actions:** Automated blocking of known Tycoon 2FA phishing patterns by Microsoft and security vendors.
## Lessons Learned
- **Key takeaways:** MFA is not a "silver bullet"; AiTM techniques have industrialized the bypass of traditional MFA.
- **What could have been done better:** Earlier public-private coordination might have shortened the platform's multi-year operational window.
## Recommendations
- **Prevention measures:**
- Transition to phishing-resistant MFA (FIDO2/WebAuthn or certificate-based authentication).
- Implement Conditional Access policies that verify device health and location.
- Conduct user training specifically focused on spotting sophisticated AiTM login page discrepancies.