Global Coalition Dismantles Tycoon 2FA’s Phishing Empire

A global powerhouse of law enforcement and private-sector giants has successfully disrupted Tycoon 2FA, one of the world’s most prolific “Phishing-as-a-Service” (PhaaS) platforms. Led by Microsoft and Europol, the coordinated strike took 330 malicious domains offline, severing a major pipeline that targeted over 500,000 organizations monthly.

Since at least 2023, Tycoon 2FA operated as a subscription-based toolkit for criminals. Unlike traditional phishing kits, it functioned as an Adversary-in-the-Middle (AiTM) platform, using a synchronous proxy to intercept live authentication sessions.

By relaying stolen credentials and session cookies in real-time to legitimate services like Microsoft 365 and Gmail, attackers could log in as legitimate users without ever triggering security alerts—effectively rendering multi-factor authentication (MFA) useless.

Attackers often leveraged a single compromised account to broadly distribute phishing URLs to the victim’s trusted contacts, significantly increasing the likelihood of successful secondary compromises.

The platform lowered the technical bar, allowing low-skill criminals to run high-volume campaigns that generated tens of millions of fraudulent emails every month.

Tycoon 2FA’s footprint was massive, accounting for approximately 62% of all phishing attempts blocked by Microsoft by mid-2025. Proofpoint data confirms that in 2025 alone, 99% of organizations faced account takeover attempts, with 59% of successful breaches occurring on accounts where MFA was already enabled.

Industry Sector	Campaign Prevalence	Impacted Areas
Technology	85%	Proprietary data theft
Financial Services	84%	Financial fraud and fund tracing
Healthcare	83%	Interrupted patient care and delayed treatment
Manufacturing	83%	Business email compromise (BEC)
Education	75%	Strained budgets and disrupted schools

The platform was managed by a primary developer, Saad Fridi, believed to be based in Pakistan, who operated alongside a network of specialists handling marketing and technical support.

The ecosystem was highly interdependent. For example, Tycoon 2FA operators frequently collaborated with services like RedVDS, which provided the cheap virtual computing power needed to launch mass email campaigns. Microsoft’s investigation even uncovered direct correspondence between the operators of Tycoon 2FA and the now-arrested developer of RaccoonO365, proving that the criminal market is a tight-knit community of competitors and allies.

The disruption was orchestrated through Europol’s Cyber Intelligence Extension Programme (CIEP), which transformed private-sector telemetry into law enforcement action.

Microsoft and the Health-ISAC filed a civil lawsuit in the U.S. District Court for the Southern District of New York against the alleged creator and associates.

Law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom executed physical seizures of servers and other critical infrastructure.

Industry partners including Trend Micro, Proofpoint, Cloudflare, and Coinbase provided the technical expertise and victimology data required to assemble the full picture of the operation.

While the takedown of 330 domains is a significant blow, experts warn that the impersonation economy is resilient. As one service falls, attackers often shift to alternatives, making sustained, coordinated pressure essential.