TYCOON 2FA was a phishing-as-a-service platform used to send fraudulent emails to over 500,000 organisations every month, enabling impersonation of users and bypassing multi-factor authentication. The operation disrupted tens of millions of phishing emails and led to the takedown of 330 active Tycoon 2FA domains, including control panels and phishing pages.
Europol, Microsoft, and cybersecurity companies described the takedown as a coordinated global public-private action, with law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the UK involved in the disruption. Microsoft said the platform accounted for roughly 62% of the phishing attempts it blocked last year, and noted the service had been linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.
Saad Fridi, based in Pakistan, is suspected to be the platform’s main developer, and was among those targeted by the legal actions. The takedown combined court orders, intelligence from major security firms, and seizures of the platform’s infrastructure to curb the operation.