An international law enforcement operation coordinated by Europol has disrupted Tycoon2FA, a major phishing-as-a-service (PhaaS) platform linked to tens of millions of phishing messages each month.

In total, 330 domains part of the criminal service's backbone infrastructure (including control panels and phishing pages) were seized and taken offline during this joint action.

"The technical disruption was led by Microsoft with the support of a coalition of private partners, while seizure of infrastructure and other operational measures were carried out by law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom – all of this coordinated by Europol," Europol said on Wednesday.

"The investigation began after intelligence was shared by Trend Micro. Europol disseminated this information through its EC3 Advisory Groups and operational networks, enabling a coordinated operational strategy to be developed."

The action was also supported by Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, SpyCloud, eSentire, Crowell, Resecurity, and Health-ISAC.

Tycoon2FA (also known as Tycoon 2FA) has been active since at least August 2023 and was used by cybercriminals to bypass multi-factor authentication (MFA) protections and compromise accounts belonging to nearly 100,000 organizations worldwide, including government institutions, schools, and healthcare organizations.

According to Microsoft, Tycoon2FA was generating tens of millions of phishing emails each month by mid-2025, reaching more than 500,000 organizations and accounting for 60% of all blocked phishing attempts.

​It operated as an adversary-in-the-middle platform, using a reverse proxy server to intercept victims' login credentials and session cookies in real time, in attacks targeting Microsoft and Google customers.

However, it allowed attackers to hijack authenticated sessions and circumvent MFA protections, even though the login process appeared to succeed normally from the victims' perspective.

"Tycoon2FA's platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. It also allowed threat actors using its service to establish persistence and to access sensitive information even after passwords are reset, unless active sessions and tokens were explicitly revoked," Microsoft said today.

"This worked by intercepting session cookies generated during the authentication process, simultaneously capturing user credentials. The MFA codes were subsequently relayed through Tycoon2FA's proxy servers to the authenticating service."

Sold through Telegram for $120 for 10 days of access, Tycoon2FA lowered the barrier for low-skilled criminals to launch sophisticated, MFA-bypassing attacks at scale.