TYCOON 2FA was a major phishing‑as‑a‑service toolkit that enabled adversary‑in‑the‑middle credential harvesting at scale, and Europol described the operation as one of the largest phishing campaigns of its kind. The kit first emerged in August 2023 and was dismantled in a coordinated public‑private action, with 330 domains forming the backbone of its criminal infrastructure taken down.
Intel 471 characterised Tycoon 2FA as dangerous, linking it to over 64,000 phishing incidents and tens of thousands of domains, which generated tens of millions of phishing emails each month. According to Microsoft, Tycoon 2FA became the most prolific platform observed by the company in 2025, blocking more than 13 million malicious emails linked to the crimeware service.
The takedown followed other findings, with Proofpoint reporting over three million messages in February 2026 and Trend Micro noting about 2,000 users of the PhaaS kit. The platform facilitated impersonation of trusted brands, captured credentials and MFA codes, and could relay MFA codes through Tycoon 2FA’s proxy servers, according to the reporting.