Global Coalition Dismantles Tycoon 2FA Phishing Service Operation

Tycoon 2FA Phishing-as-a-Service PhaaS Cybersecurity Europol Credential Harvesting MFA Bypass Adversary-in-the-Middle
D
Daniel Richter

ओपन-सोर्स सुरक्षा और लिनक्स गोपनीयता विशेषज्ञ

 
4 मार्च 2026
3 मिनट का पठन
Global Coalition Dismantles Tycoon 2FA Phishing Service Operation

TL;DR

A massive global operation has dismantled Tycoon 2FA, a leading phishing-as-a-service (PhaaS) platform. This subscription-based service, sold via messaging apps, facilitated sophisticated adversary-in-the-middle attacks, enabling cybercriminals to harvest credentials, MFA codes, and session cookies at scale. The platform's takedown is a significant win against cybercrime, impacting hundreds of thousands of victims worldwide.

Tycoon 2FA PhaaS Platform Dismantled in Global Operation

A global coalition, led by Europol and involving law enforcement agencies and security firms, has dismantled the Tycoon 2FA phishing-as-a-service (PhaaS) platform. This platform facilitated adversary-in-the-middle (AitM) credential harvesting attacks on a massive scale. The subscription-based phishing kit was sold via Telegram and Signal and was used to harvest credentials, multi-factor authentication (MFA) codes, and session cookies. The primary developer is alleged to be Saad Fridi, based in Pakistan.

Alt text

Image courtesy of The Hacker News

Scale and Impact of Tycoon 2FA

Europol described Tycoon 2FA as one of the largest phishing operations worldwide, enabling cybercriminals to access email and cloud-based service accounts covertly. Intel 471 reported the kit was linked to over 64,000 phishing incidents and tens of thousands of domains. Microsoft blocked over 13 million malicious emails linked to the service in October 2025, accounting for approximately 62% of all phishing attempts blocked by Microsoft by mid-2025. The service has affected an estimated 96,000 distinct phishing victims worldwide since 2023.

Technical Details of the Platform

The Tycoon 2FA panel served as a central hub for campaign configuration, tracking, and refinement, featuring pre-built templates, attachment files, domain and hosting configuration, and victim tracking. The platform intercepted session cookies, even after password resets, unless active sessions and tokens were explicitly revoked. It also employed keystroke monitoring, anti-bot screening, browser fingerprinting, and dynamic decoy pages to evade detection. The phishing infrastructure was hosted on Cloudflare using short-lived fully qualified domain names (FQDNs) to complicate detection.

Alt text

Image courtesy of Point Wild

Geographic Distribution and Victimology

SpyCloud analysis of victim log data showed the U.S. had the largest concentration of identified victims (179,264), followed by the U.K. (16,901), Canada (15,272), India (7,832), and France (6,823). Proofpoint observed over three million messages associated with the phishing kit in February 2026 alone. Trend Micro noted the PhaaS platform had approximately 2,000 users. Campaigns targeted almost all sectors, including education, healthcare, finance, non-profit, and government.

Attack Chain and Techniques

The attack chain began with phishing emails containing malicious links or QR codes that redirected victims to fake login pages. These pages often mimicked services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail, dynamically tailored to match the target organization's branding. Intel 471 noted that Tycoon 2FA was sold and supported primarily through Telegram channels operated by its alleged developers, often associated with the Saad Tycoon Group.

Alt text

Image courtesy of The Hacker News

Recommendations for Enhanced Security

The takedown of Tycoon 2FA highlights the need for robust security measures beyond basic MFA. Trend Micro recommends adopting phishing-resistant authentication mechanisms, deploying advanced email and collaboration security, enabling real-time URL inspection, monitoring identity risk posture, and conducting regular phishing simulations. squirrelvpn.com, offers cutting-edge news, insights, and updates on VPN technology and online privacy that can help protect against such threats.

Enhance your online security with squirrelvpn.com. Explore our in-depth articles, news updates, and features on VPN technology, and tips for enhancing online security and privacy. Contact us today to learn more about how our services can protect you from phishing attacks and other cyber threats.

D
Daniel Richter

ओपन-सोर्स सुरक्षा और लिनक्स गोपनीयता विशेषज्ञ

 

डैनियल रिक्टर एक ओपन-सोर्स सॉफ्टवेयर समर्थक और लिनक्स सुरक्षा विशेषज्ञ हैं, जिन्होंने टोर (Tor), टेल्स (Tails) और विभिन्न ओपन-सोर्स वीपीएन क्लाइंट्स सहित गोपनीयता-केंद्रित कई परियोजनाओं में योगदान दिया है। सिस्टम प्रशासन में 15 वर्षों से अधिक के अनुभव और सॉफ्टवेयर स्वतंत्रता के प्रति गहरी प्रतिबद्धता के साथ, डैनियल साइबर सुरक्षा लेखन में समुदाय-संचालित दृष्टिकोण लाते हैं। वह लिनक्स सिस्टम को सुरक्षित बनाने पर एक व्यक्तिगत ब्लॉग चलाते हैं और उन्होंने गोपनीयता-केंद्रित ओपन-सोर्स परियोजनाओं के दर्जनों योगदानकर्ताओं का मार्गदर्शन किया है।

संबंधित समाचार

Private Internet Access Updates WireGuard and OpenVPN Protocol Implementations to Strengthen Remote Access Security
WireGuard and OpenVPN protocol security updates

Private Internet Access Updates WireGuard and OpenVPN Protocol Implementations to Strengthen Remote Access Security

Private Internet Access upgrades WireGuard and OpenVPN protocols to boost remote access security, performance, and encryption stability. Learn how it impacts you.

द्वारा Viktor Sokolov 10 जुलाई 2026 4 मिनट का पठन
common.read_full_article
Critical CitrixBleed Vulnerability Under Active Exploitation Prompts Urgent Security Patch for NetScaler Gateways
CitrixBleed

Critical CitrixBleed Vulnerability Under Active Exploitation Prompts Urgent Security Patch for NetScaler Gateways

Critical vulnerability CVE-2023-4966 is under active exploitation. Patch your NetScaler ADC and Gateway appliances immediately to prevent session hijacking.

द्वारा Marcus Chen 9 जुलाई 2026 4 मिनट का पठन
common.read_full_article
WatchGuard Issues Third Critical IKEv2 Patch in Ten Months as Legacy Firebox Devices Remain Exposed
CVE-2026-13368

WatchGuard Issues Third Critical IKEv2 Patch in Ten Months as Legacy Firebox Devices Remain Exposed

WatchGuard issues third critical IKEv2 patch in ten months. Learn how CVE-2026-13368 affects your Firebox appliances and the risks to legacy hardware.

द्वारा Elena Voss 8 जुलाई 2026 4 मिनट का पठन
common.read_full_article
Dropbox Security Breach Prompts Enterprise Review of Encryption Protocols and Remote Access Alternatives for 2026
Dropbox security breach

Dropbox Security Breach Prompts Enterprise Review of Encryption Protocols and Remote Access Alternatives for 2026

Following the Dropbox security breach, enterprises are urgently reviewing encryption protocols and remote access alternatives. Learn the impact and 2026 security trends.

द्वारा James Okoro 7 जुलाई 2026 4 मिनट का पठन
common.read_full_article