Tycoon 2FA Fully Operational Despite Law Enforcement Takedown

Summary

Despite an international law enforcement operation in early March that seized 330 Tycoon 2FA domains and involved six countries, the phishing-as-a-service platform has recovered to pre-disruption activity levels within days. CrowdStrike reports the platform responsible for 62% of Microsoft-blocked phishing attempts in 2025 continues unchanged tactics, generating over 30 million malicious emails monthly and targeting half a million organizations.

Full text

The phishing-as-a-service (PhaaS) platform Tycoon 2FA’s operation has continued despite an international effort to disrupt it, CrowdStrike reports. A subscription-based service active since 2023, Tycoon 2FA allows miscreants to mount phishing attacks, bypass multi-factor authentication (MFA), and compromise accounts without triggering alerts. Responsible for 62% of the phishing attempts blocked by Microsoft in 2025, Tycoon 2FA has been used to generate over 30 million malicious emails monthly, targeting half a million organizations. The platform has been linked to roughly 96,000 distinct phishing victims worldwide. In early March, Europol and Microsoft announced the seizure of 330 active Tycoon 2FA domains and legal action against multiple individuals linked to the PhaaS, as part of an international effort involving law enforcement agencies in six countries and a dozen private companies. According to CrowdStrike, the takedown effort left only a minor dent in Tycoon 2FA’s operations, which are now back to pre-disruption levels. On March 4 and 5, following the law enforcement operation, Tycoon 2FA activity volume dropped to roughly 25%, but returned to previous levels shortly after, with “daily levels of cloud compromise active remediations returning to early 2026 levels”, CrowdStrike says.Advertisement. Scroll to continue reading. “Additionally, Tycoon2FA’s TTPs have not changed following the takedown, indicating that the service’s operations may persist beyond this disruption,” the cybersecurity firm notes. These TTPs include phishing emails directing to malicious CAPTCHA pages, session cookie theft upon CAPTCHA validation, use of JavaScript files for email address extraction, credential proxying via malicious JavaScript files, and use of stolen credentials to access the victims’ cloud environments. In March, CrowdStrike says, Tycoon 2FA has been used for business email compromise (BEC) phishing, email thread hijacking, SharePoint and cloud compromise for phishing URL distribution, and in cloud account takeover attacks. CrowdStrike observed failed Tycoon 2FA attacks after the phishing pages were suspended, identified eight IP addresses likely acquired after the takedown operation, and identified phishing domains used since 2025 that were not targeted by the law enforcement operation. While Tycoon 2FA likely began recovering the same day Europol and Microsoft announced the takedown, domains associated with the Salty 2FA phishing kit appear to have been affected by the disruption. “The efforts by Europol and private industry partners to degrade the operations of Tycoon 2FA will likely have a positive impact on the eCrime landscape overall, even if temporary. The service’s disruption likely set back current customers of the service by impeding phishing operations and damaged the long-term reputation of the PhaaS provider in the crimeware landscape,” CrowdStrike notes. Related: US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Related: Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Related: SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Thousands of Magento Sites Hit in Ongoing Defacement CampaignAllure Security Raises $17 Million for Online Brand ProtectionCritical Langflow Vulnerability Exploited Hours After Public DisclosureOasis Security Raises $120 Million for Agentic Access Management1stProtect Emerges From Stealth With $20 Million in FundingCritical ScreenConnect Vulnerability Exposes Machine KeysSecurity Firm Aura Discloses Data Breach Impacting 900,000 RecordsRussian APT Exploits Zimbra Vulnerability Against Ukraine Latest News Oracle Releases Emergency Patch for Critical Identity Manager VulnerabilityCritical Quest KACE Vulnerability Potentially Exploited in AttacksIn Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to ChinaEclypsium Raises $25 Million for Device Supply Chain SecurityUS Confirms Handala Link to Iran Government Amid Takedown of Hackers’ SitesCape Raises $100 Million for Protection Against Cellular Security ThreatsNavia Data Breach Impacts 2.7 Million Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveBrian Harrell has been appointed Chief Security Officer at FirstEnergy.eSentire has named James C. Foster as Chief Executive Officer.Green Impact Exchange has appointed John Visneski as Chief Information Security Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Tycoon 2FA
• malware — Salty 2FA