Major Phishing Platform Tycoon 2FA Dismantled by International Coalition
In a significant victory against cybercrime, Tycoon 2FA, a prominent phishing kit and platform, was effectively dismantled on Wednesday, thanks to a coordinated effort by a global coalition comprising security experts and law enforcement agencies. This operation marks a critical step in combating adversary-in-the-middle (AitM) attacks, which have proliferated due to the platform’s ability to bypass multifactor authentication, thereby facilitating large-scale phishing attacks.
Leading the charge in this initiative was Microsoft, which collaborated closely with Europol, law enforcement agencies from six nations, and 11 security firms. In a decisive move, Microsoft reported seizing 330 domains integral to Tycoon 2FA’s infrastructure. These domains included essential components such as control panels and fraudulent login pages that cybercriminals leveraged in their phishing schemes.
Emerging in August 2023, Tycoon 2FA quickly became notorious for its widespread impact, responsible for sending out tens of millions of phishing messages monthly to over 500,000 organizations around the globe. Microsoft’s Threat Intelligence analysis revealed that thousands of cybercriminals utilized this sophisticated platform to gain unauthorized access to pivotal email and online services, including Microsoft 365, Outlook, SharePoint, OneDrive, and Google services.
Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, emphasized the scale of Tycoon 2FA’s operations, sharing that by mid-2025, the platform accounted for approximately 62% of all phishing attempts that Microsoft managed to thwart. This staggering statistic included a staggering 30 million blocked emails within a single month, positioning Tycoon 2FA among the largest phishing operations worldwide.
Despite existing cybersecurity defenses, the platform was linked to an estimated 96,000 distinct phishing victims globally since its inception in 2023. Alarmingly, more than 55,000 of these victims were Microsoft customers. This troubling statistic underscores the potential vulnerabilities not just within individual organizations but also across various sectors.
The phishing kit was developed by a group tracked by Microsoft as Storm-1747 and made accessible to cybercriminals for a monthly fee of $350 through platforms like Telegram and Signal. Tycoon 2FA offered a user-friendly dashboard that enabled cybercriminals to easily configure, track, and optimize their phishing campaigns, significantly lowering the barrier for entry into cybercrime.
Moreover, the platform furnished users with pre-built templates, attachment files for common phishing lures, and configurations for domains and hosting, which further streamlined their operations. The peak monthly volume of phishing messages attributed to Tycoon 2FA soared to over 30 million in November 2025, showcasing the sheer scale of the challenges perpetrated by this platform.
Particularly hard hit by the scattered phishing attacks were organizations in the education and healthcare sectors. Masada highlighted that over 100 members of Health-ISAC, an invaluable partner in the lawsuit against Tycoon 2FA, had been victims of phishing attempts. Specifically, two hospitals and numerous educational institutions in New York faced incidents that not only disrupted crucial operations but also diverted invaluable resources and delayed patient care.
To combat the creators of Tycoon 2FA, Microsoft and Health-ISAC filed a civil complaint against Saad Fridi and four unnamed associates. They are seeking a $10 million injunction to hold them accountable for developing, operating, and selling the harmful phishing platform. The court order enabled Microsoft to dismantle and take control of Tycoon 2FA’s technical infrastructure, effectively strangling the operation at its roots.
This multinational operation received support from forces in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom, in addition to collaboration with major security firms like Cloudflare, Coinbase, and Trend Micro, among others. This coalition has showcased the power of collaboration in the face of significant global security threats.
Selena Larson, a staff threat researcher at Proofpoint whose declaration bolstered the court order, remarked that Tycoon 2FA was responsible for the highest volume of adversary-in-the-middle phishing attacks observed. She anticipated a marked decrease in complaints following this operation, indicating that many customers would suddenly find their hacking tools rendered ineffective.
Larson elaborated that even if Tycoon 2FA attempts to reestablish itself by creating new domains, the damage to its brand would be severe. Consequently, cybercriminals might resort to purchasing less effective tools or even reevaluating their participation in such illegal activities altogether.
Researchers attributed Tycoon 2FA’s popularity to its easy-to-use and robust capabilities. The platform benefited from frequent updates to its codebase and the rapid generation of subdomains for short periods, only for operators to abandon them and shift to new domains. Such transitory strategies added complexity to the already difficult task of detecting and obstructing new campaigns.
The dismantling of Tycoon 2FA follows a recent spate of cybercrime crackdowns that have targeted other nefarious operations, including Racoon0365 and the Lumma Stealer infostealer operation, which had collectively compromised millions of systems worldwide. This ongoing battle against cybercrime highlights the essential need for cooperation across borders and sectors, as both public and private entities come together to fortify cybersecurity defenses.