TYCOON 2FA, a subscription-based phishing-as-a-service platform launched in 2023, resumed activity after a Europol-led takedown earlier this month, continuing to compromise email accounts and bypass multifactor authentication using adversary-in-the-middle techniques.
The operation involved Europol's European Cybercrime Centre (EC3) and authorities from Latvia, Lithuania, Portugal, Poland, Spain and the UK, seizing 330 domains linked to Tycoon2FA, with initial results showing daily campaigns at about 25% of pre-disruption levels. Despite the disruption, activity quickly returned to early 2026 levels, and CrowdStrike published an advisory noting at least 30 suspected Tycoon2FA-enabled phishing incidents between 4 and 6 March, involving decoy and credential-capture pages.
Operators are still using compromised domains and legitimate cloud services for redirection, with IPv6 addresses associated with automated cloud logins remaining active and AI-generated decoy pages and malicious URLs continuing to be deployed. According to CrowdStrike, Tycoon2FA accounted for a significant share of phishing activity by mid-2025, and reportedly generated more than 30 million malicious emails in a single month.