Law enforcement and tech firms take down Tycoon phishing platform - Computing UK

Law enforcement and tech firms take down Tycoon phishing platform More than 300 domains seized Dev Kundaliya 5 March 2026 • 3 min read SHARE A coalition of technology companies and law enforcement agencies has dismantled a cybercrime platform generating tens of millions of phishing emails every month. Attackers used the Tycoon 2FA platform to bypass multi-factor authentication (MFA) and target organisations worldwide. Microsoft said it led the operation alongside Europol and authorities from six countries, seizing 330 internet domains used to host the platform's core infrastructure, including control panels and fake login pages designed to capture user credentials. Europol said the operation involved coordinated action by law enforcement agencies in Lithuania, Latvia, Spain, Poland, Portugal and the United Kingdom. The investigation began after cybersecurity firm Trend Micro shared intelligence with Europol, enabling joint strategy discussions. Other organisations supporting the operation included Cloudflare, Coinbase, Intel471, Proofpoint, eSentire, SpyCloud, Crowell, Resecurity, the Shadowserver Foundation and the Health-ISAC threat-sharing group. Platform responsible for nearly two-thirds of observed phishing attempts Tycoon 2FA had been active since at least August 2023. Security researchers say criminals used the platform to launch large-scale phishing attacks that bypassed MFA. By mid-2025 the platform was generating tens of millions of phishing emails each month, targeting more than 500,000 organisations globally and accounting for about 60% of all phishing attempts blocked by Microsoft. The attacks focused on accounts linked to services from Microsoft and Google, including login pages for Microsoft 365, Outlook, OneDrive, SharePoint and Gmail. Tycoon 2FA worked as an "adversary-in-the-middle" service, using a reverse proxy to intercept login credentials and authentication codes in real time. Although victims appeared to log in successfully, attackers were simultaneously capturing session cookies and credentials, allowing them to hijack authenticated sessions and bypass MFA protections. Microsoft said this technique could allow criminals to maintain access even after a victim's password was changed unless all active sessions and tokens were revoked. Impact on healthcare and education Healthcare and education organisations were among the most heavily affected sectors. More than 100 members of Health-ISAC were successfully targeted by Tycoon 2FA phishing campaigns. In New York state alone investigators said at least two hospitals, three universities and six municipal schools faced attempted or successful compromises linked to the platform. The incidents disrupted operations, diverted technical resources and in some cases delayed patient care. Security experts say the service's ease of use made it particularly dangerous. With 10 days of access sold via Telegram for about $120, Tycoon 2FA packaged convincing phishing templates, realistic login pages and real-time credential capture tools into a ready-to-use kit. Even inexperienced criminals were able to carry out “sophisticated” impersonation attacks. Once inside a network, attackers could move through systems with the same level of trust as legitimate users, accessing sensitive data and exploiting connected services without triggering alarms. Authorities said legal action has been taken against several individuals suspected of operating the platform, including Saad Fridi, who investigators believe is the main developer and is reportedly based in Pakistan. The takedown comes amid a wider series of international efforts targeting cybercrime groups. Recent operations have also disrupted networks behind the Racoon0365 phishing toolkit and the Lumma Stealer malware campaign, which investigators say infected roughly 10 million computers worldwide.