Europol, Microsoft, and Trend Micro Dismantle Tycoon 2FA Phishing-as-a-Service Platform
Law enforcement and industry partners seized over 300 domains tied to Tycoon 2FA, a major phishing-as-a-service platform that bypassed multi-factor authentication using adversary-in-the-middle proxying.
A coordinated law enforcement operation led by Europol and Microsoft has dismantled Tycoon 2FA, a prolific phishing-as-a-service (PhaaS) platform that enabled attackers to bypass multi-factor authentication (MFA) at scale. The takedown, announced on March 4, 2026, involved the seizure of over 300 domains and was supported by a coalition of private industry partners including CloudFlare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, The Shadowserver Foundation, SpyCloud, and Trend Micro's TrendAI™ unit.
Tycoon 2FA first emerged in August 2023 as a subscription-based phishing toolkit designed to defeat traditional MFA protections. The platform employed an adversary-in-the-middle (AitM) proxy that sat between the victim and the legitimate login page, capturing credentials, one-time MFA codes, and session cookies in real time. Attackers could then replay those stolen session cookies to take over accounts even when MFA was enabled, effectively neutralizing one of the most widely recommended security controls.
TrendAI™ researchers had been tracking the platform's infrastructure and operator behaviors for months, building a detailed picture of its scale and impact. By November 2025, they had linked the operation to an actor using the monikers "SaaadFridi" and "Mr_Xaad," believed to be the developer and operator of Tycoon 2FA. Historical activity showed this actor previously focused on web defacements before transitioning to building and running this phishing toolkit. The intelligence gathered was shared with Europol to support the law enforcement action.
At the time of the takedown, Tycoon 2FA had approximately 2,000 users and had utilized over 24,000 domains since its launch. The platform had been used in large-scale campaigns targeting Microsoft 365 and Google accounts, as reported by Proofpoint. Newer versions of the kit incorporated simple evasion features to deter bots and hinder analysis, making detection and takedown efforts more difficult. The service's ready-to-use phishing toolkit provided attackers with fake login pages, a proxy layer, and basic campaign tooling with minimal setup required, lowering the barrier to entry for even low-skill criminals.
The takedown of Tycoon 2FA highlights a broader trend in the cybercrime ecosystem: phishing-as-a-service platforms are becoming cheaper, more accessible, and easier to operate, enabling a wave of credential theft that feeds into ransomware, business email compromise, and data theft operations. Credentials and session cookies harvested through AitM campaigns can be resold in established credential marketplaces or passed to access brokers, who specialize in monetizing footholds into corporate environments. This model means a single successful phishing campaign can have cascading impact well beyond the original victim.
Trend Micro emphasized that traditional MFA without phishing-resistant protections remains vulnerable to AitM attacks, and organizations should adopt phishing-resistant MFA methods such as FIDO2 security keys or certificate-based authentication. The company also recommended implementing conditional access policies, monitoring for anomalous login patterns, and conducting regular security awareness training. TrendAI™ continues to monitor for any resurfacing of the service and will support ongoing law enforcement efforts, including further investigation of known users to protect customers.