The phishing-as-a-service (PhaaS) platform Tycoon 2FA’s operation has continued despite an international effort to disrupt it, CrowdStrike reports.
A subscription-based service active since 2023, Tycoon 2FA allows miscreants to mount phishing attacks, bypass multi-factor authentication (MFA), and compromise accounts without triggering alerts.
Responsible for 62% of the phishing attempts blocked by Microsoft in 2025, Tycoon 2FA has been used to generate over 30 million malicious emails monthly, targeting half a million organizations. The platform has been linked to roughly 96,000 distinct phishing victims worldwide.
In early March, Europol and Microsoft announced the seizure of 330 active Tycoon 2FA domains and legal action against multiple individuals linked to the PhaaS, as part of an international effort involving law enforcement agencies in six countries and a dozen private companies.
According to CrowdStrike, the takedown effort left only a minor dent in Tycoon 2FA’s operations, which are now back to pre-disruption levels.
On March 4 and 5, following the law enforcement operation, Tycoon 2FA activity volume dropped to roughly 25%, but returned to previous levels shortly after, with “daily levels of cloud compromise active remediations returning to early 2026 levels”, CrowdStrike says.
“Additionally, Tycoon2FA’s TTPs have not changed following the takedown, indicating that the service’s operations may persist beyond this disruption,” the cybersecurity firm notes.
These TTPs include phishing emails directing to malicious CAPTCHA pages, session cookie theft upon CAPTCHA validation, use of JavaScript files for email address extraction, credential proxying via malicious JavaScript files, and use of stolen credentials to access the victims’ cloud environments.
In March, CrowdStrike says, Tycoon 2FA has been used for business email compromise (BEC) phishing, email thread hijacking, SharePoint and cloud compromise for phishing URL distribution, and in cloud account takeover attacks.
CrowdStrike observed failed Tycoon 2FA attacks after the phishing pages were suspended, identified eight IP addresses likely acquired after the takedown operation, and identified phishing domains used since 2025 that were not targeted by the law enforcement operation.
While Tycoon 2FA likely began recovering the same day Europol and Microsoft announced the takedown, domains associated with the Salty 2FA phishing kit appear to have been affected by the disruption.
“The efforts by Europol and private industry partners to degrade the operations of Tycoon 2FA will likely have a positive impact on the eCrime landscape overall, even if temporary. The service’s disruption likely set back current customers of the service by impeding phishing operations and damaged the long-term reputation of the PhaaS provider in the crimeware landscape,” CrowdStrike notes.
Related: US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites
Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation
Related: Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet
Related: SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown
