A joint operation involving technology companies and law enforcement agencies, including Coinbase, has dismantled the core infrastructure behind Tycoon 2FA, a major phishing-as-a-service platform that provided tools designed to bypass multi-factor authentication.
Europol announced Wednesday that Microsoft helped block 330 domains associated with the platform, while authorities also seized additional infrastructure used to run the service.
Financial tracking played an important role in the investigation. Coinbase said it assisted by tracing blockchain transactions linked to funding the Tycoon 2FA operation, which helped investigators identify the platform’s suspected administrator and several of its users.
“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and initial access, forcing criminals to rebuild, retool and take on greater risk,” Coinbase said.
Phishing scams were identified as the second-largest threat in 2025 by blockchain security firm CertiK, with crypto investors losing $722 million across 248 incidents. A spokesperson for PeckShield told Cointelegraph on Monday that phishing continues to be a “persistent threat” in 2026.
Tycoon tools used to bypass multi-factor authentication
Tycoon’s toolkit included spoofed landing pages designed to mimic legitimate websites and steal user credentials. According to Coinbase, the platform also captured session cookies and authentication tokens, allowing attackers to bypass multi-factor authentication (MFA).
Typically, when a user logs in with MFA enabled, the system generates a session token that serves as proof of authentication and is stored in the user’s browser. If attackers obtain this token, they can use it to trick the system into granting access without needing to pass MFA again.
“This combination — high-fidelity phishing lures and session-token theft — makes phishing a reliable gateway to more serious crimes such as account takeovers, business email compromise, invoice fraud and further social engineering attacks,” Coinbase said.
One of the largest phishing platforms globally
Tycoon has been active since at least 2023, according to Steven Masada, assistant general counsel at the Digital Crimes Unit of Microsoft. By mid-2025, the platform was responsible for 62% of phishing attempts blocked by Microsoft, including more than 30 million malicious emails in a single month.
“That placed Tycoon 2FA among the largest phishing operations in the world,” Masada said, adding that the platform lowered the technical barriers for cybercriminals, enabling individuals with limited expertise to run sophisticated impersonation campaigns.
Masada noted that organizations across multiple sectors — including healthcare and education — were targeted by the platform. Attacks linked to Tycoon 2FA led to rerouted invoices, theft of sensitive information, network lockouts and even disruptions to patient care.
“Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect individuals and organizations from follow-on attacks such as data theft, ransomware, business email compromise and financial fraud,” he said.
