International Coalition Disrupts Tycoon 2FA Phishing‑as‑a‑Service Platform

Attackers operating the Tycoon 2FA phishing‑as‑a‑service platform were taken down by an international coalition announced on March four, 2026.

The disruption matters because the service stole multi‑factor authentication codes, giving criminals access to high‑value accounts across finance, cloud, and email providers.

Tycoon 2FA offered a subscription model that let clients launch large‑scale phishing campaigns using a legitimate new‑device login flow to harvest one‑time codes ^[1][2]. The platform’s “device‑code” method mimics the code‑exchange step of modern authentication, tricking users into entering a code that appears on a trusted device ^[1] — a technique harder for traditional filters to detect.

Law‑enforcement agencies, led by Europol, partnered with Microsoft, Coinbase, Trend Micro, and other security firms to infiltrate the service’s infrastructure and seize control of its command‑and‑control servers ^[4][5]. A press release issued from Dallas, Texas, U.S., detailed the coordinated takedown and praised the cross‑border effort ^[5].

The operation halted a service that accounted for 62 % of phishing attempts blocked by Microsoft by mid‑last year ^[6] and stopped the flow of more than 30 million malicious emails in a single month ^[6]. Those figures illustrate the scale at which Tycoon 2FA operated before the intervention.

Experts say the takedown sends a clear signal to cyber‑crime‑as‑a‑service providers that coordinated international action can dismantle even sophisticated subscription‑based platforms ^[3].

**What this means**: By neutralizing a tool that leveraged legitimate authentication processes, the coalition has reduced the immediate threat to enterprises and consumers relying on MFA. The disruption also highlights the growing importance of public‑private partnerships in combating adaptable phishing services that evolve beyond simple credential‑stealing tactics.