The infrastructure hosting the Tycoon2FA service, which Europol said was among the largest phishing operations worldwide, has been taken down by a coalition of IT companies and law enforcement agencies.
At least temporarily, this removes access to one more tool for evading multifactor authentication defenses from threat actors.
Europol, which coordinated the operation, said Wednesday that the technical disruption was led by Microsoft, which got a US court order to seize 330 active domains that powered Tycoon2FA’s core infrastructure, including its control panels and fraudulent login pages. At the same time, law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom seized the service’s infrastructure in their countries.
Other IT companies involved in the operation included Cloudflare, Coinbase, Intel471, Proofpoint, the Shadowserver Foundation, SpyCloud, and Trend Micro.
Microsoft noted that, by mid‑2025, Tycoon2FA accounted for approximately 62% of all phishing attempts that it alone had blocked; at one point it intercepted more than 30 million emails in a single month. It believes that Tycoon2FA, sold to threat actors as a phishing-as-a-service operation, is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.
[Related content: US, Microsoft crush Lumma Stealer]
The company said that Tycoon2FA combined convincing phishing templates, realistic landing pages, and real‑time capture of credentials and authentication codes into an easy‑to‑use package that scaled quickly. “By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns,” Microsoft said in a blog.
It noted that Tycoon2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail, as well as allowing threat actors using its service to establish persistence.
Criminals could also access sensitive information, even after passwords were reset, by intercepting session cookies generated during the authentication process while simultaneously capturing user credentials, unless active sessions and tokens were explicitly revoked. The intercepted multi-factor authentication (MFA) codes were subsequently relayed through Tycoon2FA’s proxy servers to the authenticating service.
Don’t be complacent: Experts
This takedown is the latest in a series of IT industry and law enforcement co-operative efforts to go after criminals’ IT infrastructure.
However, experts warned CSOs and infosec leaders not to become complacent. Cybercrime is so lucrative that either a distribution of this tool will pop up elsewhere, or another tool will take its place.
“Phishing tools designed to bypass reverse proxies continue to evolve,” noted Robert Beggs, head of Canadian incident response firm Digital Defence. “Commercial variations such as EvilProxy are commonly found in the wild, and open source toolkits like EvilGinx, Modlishka, EvilPunch are becoming the go-to option for attackers.”
Johannes Ullrich, dean of research at the SANS Institute, noted that access brokers like Tycoon2FA are typically less sensitive to domain takedowns than malware operators who use domains for their command-and-control infrastructure.
“It will likely take them a bit of time to rebuild domains to use in their operation,” he said in an email, “but I doubt they will disappear. On the other hand, there is reason to cheer: at least a temporary reprieve from Tycoon2FA phishing emails.”
He added, “CSOs should, however, focus on identity security, in particular phishing-resistant authentication technologies. Multi-factor authentication is not sufficient if it is still susceptible to phishing. A recently developed tool, Starkiller, added yet another option for attackers to exploit insufficient MFA configurations.”
[Related content: DOJ seizes 41 Russian controlled domains]
Beggs pointed out that Tycoon2FA owes its success to being a simple to use system based on a reverse proxy. This configuration allows it to bypass the two-factor authentication that most organizations rely on to provide protection against phishing attacks, he said. The reverse proxy allows the hostile program, the attacker, to virtually sit in the middle of a transaction, and intercept access credentials and cookies.
Stringent defenses needed
CSOs must employ stringent defenses against tools that use reverse proxies, Beggs said, including strengthening email filtering by enforcing DMARC, DKIM, and SPF; enforcing secure session handling at the edge by using client-bound session tokens tied to device or TLS certificates; ensuring continuous validation by issuing a new challenge when the device fingerprint changes and by using short-lived cookies; monitoring network traffic for signs of man-in-the-middle behaviors such as inconsistent host headers, proxy-added headers, and timing discrepancies between client and server flows; and adopting phishing-resistant MFA with tools like FIDO2/WebAuthn hardware keys, passkeys, or certificate-based authentication.
Because authentication is bound to the origin (domain) and the cryptographic challenges cannot be replayed through a reverse proxy, these methods cannot be proxied, he added.
How the service worked
Tycoon2FA phishing services were advertised and sold to cybercriminals on applications like Telegram and Signal, Microsoft said in a separate blog. Prices ranged, but phishing kits started at $120 for 10 days of access to an administrative panel, which served as a single dashboard for configuring, tracking, and refining campaigns.
For defenders who don’t know how comprehensive these criminal SaaS operations can be, here’s an outline of Tycoon2FA’s service: Campaign operators could configure a broad set of campaign parameters that control how phishing content is delivered and presented to targets. Key settings include lure template selection and branding customization, redirection routing, MFA interception behavior, CAPTCHA appearance and logic, attachment generation, and exfiltration configuration.
Tycoon2FA generated large numbers of subdomains for individual phishing campaigns, used them briefly, then dropped them and spun up new ones.
They could also configure how the malicious content is delivered. Options include generating EML files, PDFs, and QR codes, offering multiple ways to package and distribute phishing lures.
Operators could track valid and invalid sign-in attempts, MFA usage, and session cookie capture, with victim data organized by attributes such as targeted service, browser, location, and authentication status. Captured credentials and session cookies could be viewed or downloaded directly within the panel and/or forwarded to Telegram for near‑real‑time monitoring.
“Tycoon2FA illustrated the evolution of phishing kits in response to rising enterprise defenses, adapting its lures, infrastructure, and evasion techniques to stay ahead of detection,” said Microsoft.
“As organizations increasingly adopt MFA, attackers are shifting to tools that target the authentication process itself, instead of attempting to circumvent it. Coupled with affordability, scalability, and ease of use, Tycoon2FA posed a persistent and significant threat to both consumer and enterprise accounts, especially those that rely on MFA as a primary safeguard.”