A coordinated international operation led by Europol has dismantled Tycoon 2FA, a large phishing as a service platform that enabled cybercriminals to launch credential theft campaigns at scale. The toolkit allowed attackers to conduct adversary in the middle credential harvesting attacks and target organizations around the world. Law enforcement agencies worked alongside multiple cybersecurity firms to disrupt the service, which had become one of the most widely used phishing platforms in recent years.
Tycoon 2FA first appeared in August 2023 and quickly gained traction among cybercriminals due to its subscription based model and easy to use infrastructure. According to Europol, the toolkit was sold through messaging platforms Telegram and Signal, with pricing starting at $120 for 10 days of access or $350 for a monthly subscription to a web based administration panel. Authorities allege that the primary developer behind the platform is Saad Fridi, who is believed to be based in Pakistan. The service offered a centralized control panel where operators could configure phishing campaigns, manage infrastructure, and track activity in real time. Users of the toolkit were provided with ready made templates that imitated legitimate login portals, attachment files for common email lures, and configuration options for domains and hosting environments. The system also allowed operators to monitor victim activity and refine campaigns by analyzing sign in attempts and collected data.
Information captured through these phishing operations included login credentials, multi factor authentication codes, and session cookies. This data could be downloaded directly from the platform or forwarded to Telegram for immediate monitoring by the attackers. Europol said the toolkit enabled thousands of cybercriminals to quietly gain access to email and cloud service accounts, generating tens of millions of phishing emails every month. The scale of the activity led to unauthorized access attempts against nearly 100,000 organizations worldwide, including schools, hospitals, and public institutions. As part of the coordinated disruption, investigators shut down 330 domains that formed the backbone of the criminal network, including phishing pages and control panels used by operators.
Cybersecurity firms that tracked the activity provided additional insights into the scale of the operation. Intel 471 described Tycoon 2FA as a dangerous platform that was linked to more than 64,000 phishing incidents and thousands of domains used to distribute malicious content. Microsoft monitored the operators under the threat cluster name Storm-1747 and reported that Tycoon 2FA became the most active phishing platform observed by the company in 2025. In October 2025 alone, Microsoft blocked more than 13 million malicious emails connected to the service. By mid 2025, the platform accounted for approximately 62 percent of all phishing attempts blocked by Microsoft, including more than 30 million messages in a single month. Since its emergence in 2023, the platform has been connected to an estimated 96,000 phishing victims globally, including over 55,000 Microsoft customers.
Additional research highlighted the widespread impact across regions and industries. SpyCloud’s analysis of victim log data showed that the United States recorded the highest number of affected users with 179,264 victims, followed by United Kingdom with 16,901, Canada with 15,272, India with 7,832, and France with 6,823. Researchers observed that the majority of targeted accounts were enterprise managed or associated with paid domains, suggesting that the service was primarily aimed at business environments rather than individual users. Data from Proofpoint showed that Tycoon 2FA generated the highest volume of adversary in the middle phishing threats, with more than three million messages observed in February 2026 alone. Trend Micro, one of the private sector partners involved in the operation, estimated that the platform had around 2,000 active users.
Campaigns powered by Tycoon 2FA targeted a wide range of sectors including education, healthcare, finance, nonprofit organizations, and government agencies. Each month, phishing emails generated by the toolkit reached more than 500,000 organizations globally. According to Microsoft, attackers using the platform impersonated trusted brands by replicating sign in pages for services such as Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. The platform was designed to intercept authentication data during login sessions, allowing attackers to maintain access even after passwords were changed unless session tokens were revoked. This technique relied on intercepting session cookies generated during authentication while forwarding multi factor authentication codes through proxy servers to legitimate services.
Tycoon 2FA incorporated several technical methods to avoid detection. These included keystroke monitoring, anti bot filters, browser fingerprinting, complex code obfuscation, self hosted CAPTCHA systems, custom JavaScript, and dynamic decoy pages. The infrastructure also relied on a mix of top level domains and short lived fully qualified domain names hosted on Cloudflare. Many of these domains remained active for only 24 to 72 hours, making it difficult for defenders to maintain effective blocklists. Attackers also used a tactic known as account takeover jumping, where a compromised email account distributes phishing links to contacts, increasing the likelihood that recipients trust the message. Proofpoint researchers noted that such techniques make phishing campaigns appear legitimate and significantly improve the chances of successful account compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
