Home / Technology / Europol Busts MFA-Bypassing Phishing Ring
Europol Busts MFA-Bypassing Phishing Ring
5 Mar
Summary
- Global operation dismantled the Tycoon 2FA phishing platform.
- The platform bypassed multi-factor authentication for account access.
- Hundreds of domains and core infrastructure were seized.
A coordinated international law enforcement effort, spearheaded by Europol, has successfully dismantled Tycoon 2FA, a prominent phishing-as-a-service (PhaaS) platform. This operation involved police forces from Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.
The dismantled infrastructure included 330 domains, which hosted phishing portals and backend systems. Tycoon 2FA specialized in adversary-in-the-middle (AiTM) attacks, intercepting credentials and session cookies. This technique allowed it to bypass multi-factor authentication (MFA) protections, granting unauthorized access to user accounts.
Active since August 2023, Tycoon 2FA was highly popular in underground cybercrime communities. Reports indicate its associated Bitcoin wallet amassed over $400,000 in cryptocurrency by March 2024. The platform generated tens of millions of phishing emails monthly, impacting almost 100,000 organizations worldwide.
Tycoon 2FA received regular updates, with a significant upgrade in April 2025 enhancing its evasion capabilities. By mid-2025, it accounted for 62% of phishing attempts blocked by Microsoft. Access to the platform was affordable, starting at $120 for 10 days, making it accessible to a broad spectrum of cybercriminals.
