Major Phishing-as-a-Service Platform Tycoon 2FA Disrupted in Global Operation
One of the largest phishing-as-a-service (PhaaS) infrastructures used for bypassing multi-factor authentication has been dismantled following a coordinated operation involving Microsoft, Europol and multiple industry partners.
The operation resulted in the seizure of more than 330 domains used to host phishing pages and credential-harvesting infrastructure, significantly disrupting a service that had been active since 2023 and was responsible for sending tens of millions of phishing emails each month.
The takedown marks one of the most visible examples of public-private cooperation against large-scale identity-focused cybercrime infrastructure.
Industrial-Scale Phishing Infrastructure
Tycoon 2FA operated as a subscription-based platform that allowed cybercriminals to launch sophisticated phishing campaigns without building their own infrastructure.
Subscribers could generate phishing pages targeting services such as:
Microsoft 365
Gmail
enterprise login portals
The platform relied on Adversary-in-the-Middle (AiTM) techniques, which intercept authentication traffic between the victim and the legitimate service.
Instead of simply collecting passwords, the system captured:
login credentials
multi-factor authentication codes
session cookies and authentication tokens
With valid session tokens, attackers could access accounts without triggering additional login verification.
A Platform Powering a Large Share of MFA Bypass Attacks
Telemetry from Microsoft indicates that Tycoon 2FA infrastructure accounted for approximately 62% of AiTM phishing attempts detected and blocked by Microsoft systems by mid-2025.
Across the campaign’s lifespan, the platform is estimated to have targeted more than 500,000 organizations globally and generated tens of millions of phishing messages per month.
Between October 2025 and January 2026 alone, researchers estimate that roughly 87.5 million phishing emails were distributed through the infrastructure.
Healthcare and education organizations were among the sectors most heavily impacted.
Phishing-as-a-Service as a Cybercrime Business Model
Tycoon 2FA illustrates how phishing operations have evolved into structured cybercrime services.
The platform provided subscribers with ready-to-use infrastructure including:
phishing page hosting
credential harvesting pipelines
session hijacking capabilities
infrastructure rotation across multiple domains
Operators also implemented multiple evasion techniques to prevent detection, including CAPTCHA validation, browser fingerprinting, obfuscated scripts, and rapid domain rotation.
This approach mirrors the broader transformation of phishing from isolated campaigns into fully managed criminal ecosystems.
Global Public-Private Disruption
The disruption was carried out through a coordinated effort between Microsoft, Europol and multiple security partners.
Authorities seized control panels, phishing domains and supporting infrastructure used to run the platform.
Industry partners contributed threat intelligence and telemetry that enabled investigators to map the infrastructure and coordinate the takedown across multiple jurisdictions.
Such coordinated operations are becoming increasingly important as phishing infrastructure spans cloud services, hosting providers and international networks.
Not the Same Infrastructure as Recent Starkiller Activity
The takedown of Tycoon 2FA should not be confused with recently reported phishing toolkits such as Starkiller, which security researchers have identified as a newer platform using similar AiTM techniques.
While both rely on session interception and MFA bypass methods, they represent separate infrastructures within the broader phishing-as-a-service ecosystem.
The emergence of new platforms even as others are dismantled highlights how quickly the cybercrime market adapts when major services are disrupted.
DIAMATIX Perspective
Identity-centric attacks are increasingly dominating the threat landscape.
Phishing platforms like Tycoon 2FA demonstrate how attackers are shifting away from simple credential theft toward session hijacking and authentication flow interception.
Several trends are becoming clear:
phishing infrastructure is evolving into scalable service platforms
AiTM techniques enable attackers to bypass traditional MFA defenses
cybercrime ecosystems rapidly regenerate even after major disruptions
Organizations should focus defensive strategies on protecting authentication sessions and identity infrastructure rather than relying solely on passwords and basic MFA.
Recommended defensive measures include:
deploying phishing-resistant authentication mechanisms such as FIDO2
monitoring anomalous login sessions and token usage
restricting risky OAuth and third-party application permissions
implementing identity-centric threat detection and response capabilities
The takedown of Tycoon 2FA may disrupt one infrastructure, but it also underscores a broader reality.
Phishing has become an industrialized cybercrime model, and defending against it requires continuous visibility into identity, authentication and session activity.
Sources
Threat intelligence and public reporting from Microsoft, Europol and cybersecurity partners involved in the infrastructure disruption operation.
Trusted · Innovative · Vigilant
