Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 09, 2026 · 5 min read

The Phishing Service Behind 62% of Attacks Just Got Taken Down—330 Domains Seized in Global Raid

Europol, Microsoft, and a coalition of private sector partners dismantled Tycoon 2FA, the largest phishing as a service platform ever documented.

For nearly three years, a subscription based phishing platform called Tycoon 2FA quietly became the backbone of global credential theft. By mid 2025, it accounted for 62 percent of every phishing attempt Microsoft blocked, generating more than 30 million malicious emails in a single month. On March 4, 2026, a coordinated operation led by Europol, Microsoft, and over a dozen private sector partners finally pulled the plug.

Law enforcement operation seizing servers in a dark server room during the Tycoon 2FA phishing platform takedown

What Was Tycoon 2FA?

Tycoon 2FA first appeared in August 2023, believed to be a fork of an earlier phishing kit called Dadsec. Unlike traditional phishing pages that simply collect passwords and hope for the best, Tycoon 2FA operated as a transparent reverse proxy. It sat between the victim and the real login page for services like Microsoft 365 or Gmail, relaying authentication prompts in real time.

That distinction matters. When a victim entered their password and then completed a multifactor authentication challenge, whether through an SMS code, authenticator app, or push notification, Tycoon 2FA captured the resulting session token. The attacker inherited a fully authenticated session. No password reset, no second factor, no alert triggered. The victim's MFA did exactly what it was designed to do, and it still was not enough.

The platform sold this capability as a service. For roughly $120 a month, anyone could run sophisticated phishing campaigns against enterprise targets without writing a single line of code. At its peak, Tycoon 2FA had approximately 2,000 active subscribers and had used more than 24,000 domains since its launch.

The Scale of the Damage

The numbers behind Tycoon 2FA are staggering. Between October 2025 and January 2026, the platform generated an estimated 87.5 million phishing emails. It targeted over 500,000 organizations every month, including schools, hospitals, government agencies, and public institutions across the globe.

Microsoft estimated the platform facilitated unauthorized access to nearly 100,000 organizations. The phishing emails were convincing enough that even security aware users frequently fell for them, because the login pages they landed on were not imitations. They were the real thing, proxied through an attacker controlled server.

How the Takedown Worked

The operation was coordinated through Europol's Cyber Intelligence Extension Programme (CIEP), marking the first time Microsoft used this channel for a disruption campaign. Acting under a court order from the U.S. District Court for the Southern District of New York, Microsoft seized 330 domains that formed the core infrastructure of the service, including phishing pages and control panels.

Law enforcement agencies in six countries, Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom, simultaneously seized additional infrastructure and carried out operational measures. The private sector coalition included Cloudflare, Coinbase, Proofpoint, Trend Micro, Intel 471, eSentire, SpyCloud, Resecurity, The Shadowserver Foundation, and Health ISAC.

Legal action was taken against multiple individuals suspected of running the operation. Saad Fridi, based in Pakistan, was identified as the platform's lead developer.

Why MFA Alone Is Not Enough

Tycoon 2FA exposed a fundamental weakness in how most organizations think about account security. Multifactor authentication is widely treated as the gold standard, the thing that makes phishing irrelevant. Tycoon 2FA proved otherwise. When the phishing page is actually proxying the real service, every security measure the user completes gets passed straight through to the attacker.

Security researchers recommend moving beyond traditional MFA to phishing resistant methods like FIDO2 hardware keys or passkeys, which bind authentication to a specific domain and cannot be proxied. Organizations should also implement conditional access policies that evaluate device compliance, location, and risk signals before granting access.

What Happens Next

The Tycoon 2FA takedown is significant, but it is unlikely to be permanent. Phishing as a service platforms have shown a pattern of rebuilding after disruptions, often migrating to new infrastructure within weeks. Other adversary in the middle platforms like EvilProxy and Caffeine remain active, and the underlying technique is well understood by threat actors worldwide.

What makes this operation notable is the scale of the coalition involved and the speed at which intelligence was shared between public and private sectors. Europol described the collaboration as a model for future disruptions. Microsoft emphasized that the goal was not just to seize domains but to raise the cost and complexity for operators who try to rebuild.

For organizations that rely on email authentication, the message is clear: MFA is a floor, not a ceiling. The tools attackers use to bypass it are not theoretical exploits. They were a subscription service with 2,000 paying customers, available to anyone willing to spend $120 a month.