Europol-Led Operation Disrupts 2FA Phishing-as-a-Service Used in 64,000 Attacks

Post Views: 3

Takedown of Tycoon 2FA Phishing-as-a-Service Platform

A global law enforcement operation has dismantled a prominent phishing-as-a-service (PhaaS) platform known as Tycoon 2FA, which was linked to over 64,000 phishing incidents and tens of thousands of domains.

About Tycoon 2FA

Tycoon 2FA was a subscription-based service that allowed cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale.

The primary developer of Tycoon 2FA is alleged to be Saad Fridi, who is said to be based in Pakistan.

Features and Services

The platform featured a range of tools and services, including pre-built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking.

Operation and Takedown

As part of the coordinated effort, 330 domains that formed the backbone of the criminal service, including phishing pages and control panels, have been taken down.

The operation was carried out by a coalition of law enforcement agencies and security companies, including Europol, Microsoft, and Trend Micro.

According to Microsoft, which tracked the operators of the service under the name Storm-1747, Tycoon 2FA became the most prolific platform observed by the company in 2025.

Impact and Statistics

The service has been linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.

The victims were primarily from enterprise environments, with the U.S. having the largest concentration of identified victims, followed by the U.K., Canada, India, and France.

Techniques and Implications

Tycoon 2FA employed a range of techniques to evade detection, including keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages.

The use of Tycoon 2FA by cybercriminals has significant implications for enterprises, as it enabled threat actors to impersonate trusted brands and access sensitive information.

As Selena Larson, staff threat researcher at Proofpoint, noted, “These cyberattacks that enable full account takeovers can lead to disastrous impacts, including ransomware or the loss of sensitive data.”

Conclusion

The takedown of Tycoon 2FA is a significant blow to the phishing-as-a-service industry, but it highlights the need for enterprises to prioritize identity security and implement robust security measures to prevent similar attacks.