INVESTIGATORS claimed on 4 March 2026 that they had taken out another key player in the global cybercrime supply chain by seizing infrastructure linked to the Tycoon2FA phishing-as-a-service operation. The effort was led by Microsoft and Europol and supported by a range of industry partners, including TrendAI, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, The Shadowserver Foundation and SpyCloud, according to TrendAI.
Over 300 domains linked to Tycoon2FA were seized in the operation, according to TrendAI. Tycoon2FA offered subscription-based PhaaS that used adversary-in-the-middle techniques to intercept live authentication sessions and capture credentials, one-time passcodes and active session cookies in real time, enabling threat actors to bypass multi-factor authentication and access countless enterprise accounts in large-scale attacks on corporate inboxes.
Tycoon2FA had around 2000 users and used more than 24,000 domains since its launch in August 2023, with TrendAI identifying the primary operator as a threat actor using the online identities “SaaadFridi” and “Mr_Xaad.”