Law enforcement disrupted Tycoon 2FA phishing-as-a-service platform

Authorities disrupted the Tycoon 2FA phishing-as-a-service platform used to send millions of phishing emails to over 500,000 orgs worldwide.

The joint effort, led by Microsoft, Europol, and industry partners, aimed to target the infrastructure of Tycoon 2FA phishing-as-a-service platform responsible for tens of millions of fraudulent emails reaching over 500,000 organizations each month worldwide.

By mid‑2025, the service accounted for approximately 62 percent of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon2FA among the largest phishing operations globally. Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.

Resecurity acquired access to Tycoon 2FA, widely used by thousands of cybercriminals to impersonate real users and gain unauthorized access to email and online service accounts, including Microsoft 365, Outlook, and Gmail. As one of its evasion mechanisms, the PhaaS leveraged URL rotation by abusing open redirect vulnerabilities on third-party websites. Another mechanism that enables the protection of malicious instances generated by Tycoon 2FA is the misuse of Cloudflare (Workers).

“The author of Tycoon 2FA is actively updating the tool with regular kit updates.” reads the report published by Resecurity. “What makes Tycoon 2FA so special is that the kit effectively combines multiple methods to deliver phishing at scale—from PDF attachments to QR codes.”

Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow‑on attacks such as data theft, ransomware, business email compromise, and financial fraud.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PhaaS)