Global phishing-as-a-service platform Tycoon 2FA taken down

An international coalition of law enforcement authorities and partners from the private sector has taken down hundreds of domain names belonging to the phishing-as-a-service platform Tycoon 2FA.

Since its emergence in August 2023, Tycoon 2FA has become one of the most widespread phishing-as-a-service platforms in the world, enabling campaigns responsible for tens of millions of phishing messages reaching over 500,000 organizations each month in nearly all sectors, including education, healthcare, finance, non-profit, and government.

The Tycoon 2FA phishing kit was developed by a threat actor dubbed Storm-1747, a financially motivated group that leverages Adversary-in-the-Middle tactics to intercept login credentials and multi-factor authentication (MFA) tokens in real time.

According to Microsoft, Tycoon 2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. In addition, it allowed threat actors using its service to gain persistent access to sensitive information, even after passwords are reset, unless active sessions and tokens were explicitly revoked.

By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft.

To evade detection, Tycoon 2FA used techniques like anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages.

On Wednesday, law enforcement authorities from Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom managed to take down Tycoon 2FA’s platform by disrupting 330 domains forming the core infrastructure of the criminal service, including phishing pages and control panels.

The law enforcement agencies partnered up with parties from the private sector, including Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, the Shadowserver Foundation, SpyCloud, and Trend Micro.

Europol’s European Cybercrime Centre (EC3) acted as the central hub between the investigators and private partners.