Tycoon2FA phishing platform dismantled in major operation
A Europol-led sting against the infamous Tycoon2FA MFA bypass phishing service has been successful, with operations disrupted and ringleaders and cyber criminal users identified
Tycoon2FA, an underground cyber criminal phishing service that enabled its subscribers to intercept live authentication sessions, capturing credentials, one-time passcodes and active session cookies to bypass multifactor authentication (MFA), has been taken down in a Europol-led operation supported by a coalition of industry partners, including Cloudflare, Microsoft, Proofpoint and Trend Micro’s TrendAI unit.
The sting was the result of a long-term collaborative exercise against Tycoon2FA, which has been active since the summer of 2023. Over the past three-and-a-half years, Tycoon2FA users have leveraged more than 24,000 domains with campaigns primarily targeting Microsoft 365 and Google services, particularly Gmail.
The majority of its victims – just under 52% – were based in the US, with around 8% in the UK, 5% in Germany and 4% in Canada.
The service was notable for its scale and accessibility, with a ready-to-use toolkit providing buyers with fake login pages, proxy layers and basic campaign tooling, with more recent updates adding evasion features to hinder analysis and response. At the point of the takedown this week, it had about 2,000 active subscribers, each paying approximately $120 for a 10-day licence.
“This was not a single phishing campaign. It was an industrialised service built to make MFA bypass accessible to thousands of criminals,” said Robert McArdle, director for cyber crime research at TrendAI.
“Identity is now the primary attack surface. When session hijacking can be packaged and sold as a subscription, the risk shifts from isolated incidents to systemic exposure,” he added.
McArdle and his colleagues have been extensively researching and tracking Tycoon2FA’s infrastructure and operator behaviour for some time. A breakthrough in their work came in November 2025 when they were able to successfully identify the likely developer and primary operator of the service – an individual using the handles SaaadFridi or Mr_Xaad. The team said this person was actively involved in small-time, hacktivist-style cyber crime, such as website defacement, before moving on to phishing kit development.
“We had been mapping the operators behind Tycoon2FA and their infrastructure for months before disruption. What stood out was the scale and consistency of the patterns. Domains, hosting choices, kit updates and underground support channels all pointed to a coordinated commercial service rather than fragmented campaigns,” McArdle told Computer Weekly.
“Once we had high-confidence attribution and understanding of the scale of the problem, we shared detailed intelligence with Europol to enable action at pace. That kind of operational intelligence is what turns visibility into impact,” he added.
“Flagging this to Europol was not a routine information exchange. It’s the result of sustained tracking, technical validation and careful correlation across multiple data points. When you see a platform actively lowering the barrier for MFA bypass at scale, there is a responsibility to move beyond reporting and help drive disruption of its infrastructure or operators. This is exactly where private sector threat research and law enforcement collaboration has to intersect if we are serious about reducing cyber crime risk, and Europol have long been close partners in that space.”
One among many
Tycoon2FA was just one among many phishing-as-a-service (PhaaS) platforms available to cyber criminals. Other notable active examples include names such as BlackForce, GhostFrame and InboxPrimeAI. The latter uses generative artificial intelligence (GenAI) to mimic human behaviour in its campaigns and is billed as a “programmatic solution” for phishing.
The disruption of Tycoon2FA shows what is possible when intelligence is acted on, not just observed. We will continue to track the actors, the infrastructure and the users behind these services to protect our customers and raise the cost of operating in this ecosystem
Robert McArdle, TrendAI
These platforms are sometimes erroneously viewed as secondary to ransomware in the threat they pose, but in real-world situations, they are often used as the initial access point for ransomware gangs, with the credentials and other tokens they steal then sold on the dark web, or passed to initial access brokers (IABs) to monetise.
Tycoon2FA was a particularly acute threat because it substantially lowered the technical barrier to entry and expanded the pool of attackers capable of launching more sophisticated attacks. And while its disruption will be a significant setback for the PhaaS ecosystem, the underlying threat is as real as it ever was.
McArdle said the operation against Tycoon2FA underscored the value of sustained and focused tracking combined with collaboration. Because phishing platforms are themselves transnational and rely on distributed infrastructure to serve users all over the world, the industry must respond in kind, with better visibility and actionable intelligence helping align execution.
The TrendAI team will continue monitoring for any attempts to rebuild or rebrand Tycoon2FA, and is supporting follow-on investigations into the service’s identified users and other administrators.
“The disruption of Tycoon2FA shows what is possible when intelligence is acted on, not just observed,” said McArdle. “We will continue to track the actors, the infrastructure and the users behind these services to protect our customers and raise the cost of operating in this ecosystem.”
Next steps
The takedown of Tycoon2FA demonstrates that MFA alone is insufficient against adversary-in-the-middle (AitM) phishing, so defenders now need to put in some extra work to ward off the threat.
Among other things, security leaders should consider adopting more phishing-resistant authentication mechanisms, with stricter conditional access controls in place.
They may also wish to deploy email and collaboration security technology to detect lateral phishing and brand impersonation, and enable real-time URL inspection and web content analysis to identify fake login infrastructure.
Organisations should also move to continuous monitoring of their identity risk and introduce capabilities that enable them to mount a rapid response should anomalous session behaviour be spotted.
Finally, all these steps should go hand-in-hand with regular phishing simulations and targeted security awareness training for at-risk employees.
Phishing attacks are evolving. Gone are the days of clumsy, error-ridden emails that were easy to spot – today’s campaigns harness advanced techniques to bypass even the latest defences. A new approach is needed.
