Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
嗯,用户让我总结这篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我需要通读整篇文章,抓住主要信息。 文章讲的是一个名为Tycoon 2FA的钓鱼工具包被执法机构和安全公司 dismantled。这个工具包允许网络犯罪分子进行大规模的中间人攻击,窃取凭证。它通过Telegram和Signal销售,价格从120美元到350美元不等。主要开发者是Saad Fridi,来自巴基斯坦。 这个工具包的功能包括配置、跟踪和优化钓鱼活动,提供模板、附件文件、域名配置等。它捕获的凭证包括MFA代码和会话cookie,可以通过面板或Telegram下载。 影响方面,每月发送数千万钓鱼邮件,影响近10万家组织,包括学校、医院等。涉及超过64,000次钓鱼事件和数万域名。美国受害者最多,其次是英国、加拿大等。 最后,执法行动关闭了330个域名,并指出该工具包对企业和政府机构构成严重威胁。 现在我需要把这些要点浓缩到100字以内。确保涵盖主要事件、功能、影响和结果。 </think> Tycoon 2FA, a phishing-as-a-service toolkit enabling large-scale credential harvesting attacks, was dismantled by law enforcement and security firms. The subscription-based tool, sold via Telegram and Signal, allowed operators to configure and track phishing campaigns, capturing credentials, MFA codes, and session cookies. It generated tens of millions of phishing emails monthly, targeting nearly 100,000 organizations globally. The operation involved taking down 330 domains linked to the platform. 2026-3-5 06:51:0 Author: thehackernews.com(查看原文) 阅读量:10 收藏

Tycoon 2FA, one of the prominent phishing-as-a-service (PhaaS) toolkits that allowed cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale, was dismantled by a coalition of law enforcement agencies and security companies.

The subscription-based phishing kit, which first emerged in August 2023, was described by Europol as one of the largest phishing operations worldwide. The kit was sold via Telegram and Signal for a starting price of $120 for 10 days or $350 for access to a web-based administration panel for a month. Tycoon 2FA's primary developer is alleged to be Saad Fridi, who is said to be based in Pakistan.

The panel serves as a hub for configuring, tracking, and refining campaigns. It features pre‑built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking. Operators can also configure how the malicious content is delivered through attachments, as well as keep tabs on valid and invalid sign-in attempts.

The captured information, such as credentials, multi-factor authentication (MFA) codes, and session cookies, can be downloaded directly within the panel or forwarded to Telegram for near‑real‑time monitoring.

"It enabled thousands of cybercriminals to covertly access email and cloud-based service accounts," Europol said. "At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions."

As part of the coordinated effort, 330 domains that formed the backbone of the criminal service, including phishing pages and control panels, have been taken down.

Characterizing Tycoon 2FA as "dangerous," Intel 471 said the kit was linked to over 64,000 phishing incidents and tens of thousands of domains, generating tens of millions of phishing emails each month. According to Microsoft, which is tracking the operators of the service under the name Storm-1747, Tycoon 2FA became the most prolific platform observed by the company in 2025, prompting it to block more than 13 million malicious emails linked to the crimeware service in October 2025.

In total, Tycoon 2FA accounted for approximately 62% of all phishing attempts blocked by Microsoft as of mid-2025, including more than 30 million emails in a single month. The service has been linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers, the tech giant added.

Tycoon 2FA Evolution Timeline (Source: Point Wild)

\

Geographic analysis of victim log data by SpyCloud indicates that the U.S. had the largest concentration of identified victims (179,264), followed by the U.K. (16,901), Canada (15,272), India (7,832), and France (6,823).

"The overwhelming majority of targeted accounts were enterprise-managed or otherwise associated with paid domains, reinforcing the conclusion that Tycoon 2FA is primarily directed at business environments rather than individual consumer accounts," the cybersecurity company said.

Data from Proofpoint shows that Tycoon 2FA accounted for the highest volume AiTM phishing threats. The email security company said it observed over three million messages associated with the phishing kit in February 2026 alone. Trend Micro, which was one of the private sector partners in the operation, noted that the PhaaS platform had approximately 2,000 users.

Campaigns leveraging Tycoon 2FA have indiscriminately targeted almost all sectors, including education, healthcare, finance, non-profit, and government. Phishing emails sent from the kit reached over 500,000 organizations each month worldwide. 

"Tycoon 2FA's platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail," Microsoft said

"It also allowed threat actors using its service to establish persistence and to access sensitive information even after passwords are reset, unless active sessions and tokens were explicitly revoked. This worked by intercepting session cookies generated during the authentication process, simultaneously capturing user credentials. The MFA codes were subsequently relayed through Tycoon 2FA's proxy servers to the authenticating service."

The kit also employed techniques like keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages to sidestep detection efforts. Another key aspect is the use of a broader mix of top-level domains (TLDs) and short-lived fully qualified domain names (FQDNs) to host the phishing infrastructure on Cloudflare.

The FQDNs often only last for 24 to 72 hours, with the rapid turnover a deliberate effort to complicate detection and prevent building reliable blocklists. Microsoft also attributed Tycoon 2FA's success to closely mimicking legitimate authentication processes to stealthily intercept user credentials and session tokens.

To make matters worse, Tycoon 2FA customers leveraged a technique called ATO Jumping, whereby a compromised email account is used to distribute Tycoon 2FA URLs and attempt further account takeover activities. "Using this technique enables emails to look like they are authentically coming from a victim’s trusted contact, increasing the likelihood of a successful compromise," Proofpoint noted.

Phishing kits like Tycoon are designed to be flexible so that it's accessible to less technically savvy actors while still offering advanced capabilities for more experienced operators.

"In 2025, 99% of organizations experienced account takeover attempts in 2025, and 67% experienced a successful account takeover," Selena Larson, staff threat researcher at Proofpoint, said in a statement shared with The Hacker News. "Of these, 59% of the taken-over accounts had MFA enabled. While not all of these attacks were related to Tycoon MFA, this shows the impact of AiTM phishing on enterprises."

"These cyberattacks that enable full account takeovers can lead to disastrous impacts, including ransomware or the loss of sensitive data. As threat actors continue to prioritize identity, gaining access to enterprise email accounts is often the first step in an attack chain that can have destructive consequences."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.


文章来源: https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html
如有侵权请联系:admin#unsafe.sh