Europol and partners dismantle the Tycoon 2FA phishing-as-a-service platform linked to tens of millions of scam emails and thousands of cyberattacks.
An international law enforcement operation led by Europol has dismantled Tycoon 2FA, a major phishing-as-a-service platform used by cybercriminals to bypass multi-factor authentication and compromise online accounts worldwide.
The service, active since August 2023, provided attackers with subscription-based phishing kits that enabled large-scale credential harvesting through adversary-in-the-middle (AiTM) attacks. These tools allowed criminals to intercept login credentials, authentication codes, and session cookies in real time even when victims had multi-factor authentication enabled.
Authorities say the platform helped facilitate tens of millions of phishing emails each month, targeting organizations across sectors including healthcare, education, government, and finance. Campaigns linked to the service reached more than 500,000 organizations monthly and contributed to over 64,000 phishing incidents.
Tycoon 2FA operated as a subscription service, selling access to cyber-criminals for roughly $120 for 10 days or $350 for a monthly control panel. The web-based dashboard allowed users to configure phishing campaigns, manage infrastructure, track victims, and receive stolen credentials in near real time via messaging platforms like Telegram.
The phishing toolkit also included advanced evasion features such as browser fingerprinting, anti-bot protections, keystroke logging, code obfuscation, and rapidly rotating phishing domains that remained active for only short periods to avoid detection.
As part of the coordinated crackdown, investigators seized around 330 domains used to host phishing pages and control panels that formed the backbone of the operation’s infrastructure. The disruption involved collaboration between law enforcement agencies and private cybersecurity firms.
Security researchers warn that phishing-as-a-service platforms like Tycoon 2FA significantly lower the barrier for cybercrime, enabling even inexperienced attackers to launch sophisticated account takeover campaigns that can lead to data theft, fraud, or ransomware attacks.
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
