Microsoft, Europol, and Coinbase dismantle infrastructure behind Tycoon 2FA phishing platform

Key points:

• Microsoft, Europol, and Coinbase dismantled the infrastructure of the Tycoon 2FA phishing platform, which allowed attackers to bypass multi-factor authentication.
• Authorities blocked 330 domains linked to the service during the operation.
• The platform had been active since 2023 and by 2025 was responsible for up to 62% of phishing attacks blocked by Microsoft.

Technology companies and law enforcement agencies have taken down the core infrastructure of Tycoon 2FA, a major phishing-as-a-service platform that enabled cybercriminals to bypass multi-factor authentication systems. The operation involved Microsoft, Europol, and crypto exchange Coinbase.

According to Europol, Microsoft helped block 330 domains associated with the platform, while authorities seized key parts of its infrastructure. Coinbase also assisted the investigation by analyzing cryptocurrency transactions used to fund Tycoon 2FA. This helped investigators identify the platform’s suspected administrator and several of its users.

MetaMask and Phantom lead global initiative to combat phishing

After losses of $400 million, major crypto wallets launch a joint system to protect users from fraudsters

Читать дальше

According to Coinbase representatives, dismantling the infrastructure will significantly disrupt cybercriminal operations and force them to rebuild their tools while taking greater risks of exposure.

How the Tycoon 2FA Platform Worked

Tycoon’s toolkit allowed attackers to create fake login pages that mimicked legitimate websites. When victims entered their credentials, the system captured not only usernames and passwords but also session tokens that confirm a user’s authenticated login.

After a user completes multi-factor authentication, a service typically generates a session token and stores it in the browser. If an attacker obtains this token, they can access the account without repeating the authentication process, effectively bypassing MFA protections.

Europol dismantles an international network of crypto scammers with $5,7 million in damages

During the operation, assets were seized, accounts were frozen, and fraudulent websites were shut down

Читать дальше

This approach makes phishing particularly dangerous: stolen data can be used for account takeovers, business email compromise, invoice fraud, and further social engineering attacks.

Tycoon 2FA had been operating since at least 2023. According to Microsoft, by mid-2025 the platform accounted for 62% of all phishing attacks blocked by the company. In a single month, the system could distribute more than 30 million malicious emails.

Data from blockchain security firm CertiK shows that phishing became the second-largest threat to the crypto industry in 2025, with investors losing around $722 million across 248 incidents. Analysts at PeckShield warn that such schemes remain a major threat in 2026.