EUROPOL and several private sector partners, including Microsoft, Trend Micro, and Cloudflare, disrupted the Tycoon 2FA phishing-as-a-service platform this week in an international operation. Microsoft seized 330 domains that composed the platform’s user control panels and fake login pages, with law enforcement agencies also seizing Tycoon 2FA infrastructure in Latvia, Lithuania, Portugal, Poland, Spain, and the UK.
By mid‑2025, Tycoon 2FA accounted for approximately 62 percent of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month, placing it among the largest phishing operations globally, according to Steven Masada of Microsoft's Digital Crimes Unit. Masada added that Tycoon 2FA is connected to an estimated 96,000 distinct phishing victims since its inception, including more than 55,000 Microsoft customers.
Cloudflare explained in a research brief that the platform used an adversary-in-the-middle attack to relay real MFA prompts and capture live tokens, enabling attackers to achieve fully authenticated sessions and render SMS codes, authenticator apps, and push notifications useless. Trend Micro and other partners said the work isn’t done and that known and suspected users can continue operations, with stolen credentials and session cookies remaining in circulation.