Microsoft, Europol, and several cybersecurity partners recently dismantled the Tycoon 2FA phishing-as-a-service platform, a large adversary-in-the-middle operation designed to bypass multi-factor authentication.

The platform enabled attackers to steal login credentials and authenticated sessions from Microsoft 365 and Google Accounts, affecting more than 96,000 organizations globally. Active since August 2023, the service was sold on Telegram for about $120, allowing even low-skill attackers to launch sophisticated phishing campaigns.

At its peak in 2025, the platform generated tens of millions of phishing emails per month and was responsible for 62% of phishing attempts blocked by Microsoft. A coordinated operation supported by a U.S. court order and a $10 million civil complaint from Health‑ISAC led to the seizure of 330 domains and servers across Europe.

How the Tycoon 2FA Attack Worked

Tycoon 2FA used an Adversary-in-the-Middle (AiTM) technique to intercept login sessions in real time. Instead of only stealing passwords, attackers captured the entire authenticated session.

This allowed them to:

• Steal usernames and passwords
• Intercept MFA verification codes
• Capture session cookies after login
• Access accounts without triggering additional authentication

Because the session itself was stolen, attackers could bypass MFA protections entirely.

A Phishing Platform Built Like a Business (phishing-as-a-service operations)

Tycoon 2FA was not operated by a single hacker. It functioned as a cybercrime service platform, providing tools and support to attackers worldwide.

Key characteristics included:

• Sold on Telegram for about $120
• Technical support and updates for customers
• Infrastructure designed for large-scale phishing campaigns
• Integration with hosting services such as RedVDS

The platform is believed to have been operated by Saad Fridi, attributed to Pakistan, who ran the service with partners responsible for marketing and customer support. Investigators also found links to operators associated with RaccoonO365.

Scale of the Tycoon 2FA Attacks

The scale of Tycoon 2FA campaigns demonstrates how automated phishing infrastructure can dramatically increase attack volume.

Reported figures include:

• 96,000+ organizations targeted worldwide
• 500,000+ potential victims targeted per month
• 30+ million phishing emails in a single month
• 62% of phishing attempts blocked by Microsoft

Critical sectors such as healthcare, education, and enterprise cloud environments were heavily targeted. In some cases, phishing campaigns disrupted hospital operations, patient care, and education services.

Global Investigation and Takedown of Tycoon 2FA

The investigation involved an extensive public-private collaboration across multiple organizations.

Key contributors included:

• Microsoft
• Europol
• Proofpoint
• Intel 471
• eSentire
• Cloudflare
• Coinbase
• Shadowserver Foundation

Law enforcement agencies in the United Kingdom, Spain, Poland, Latvia, Lithuania, and Portugal seized infrastructure as part of the operation coordinated through Europol’s cybercrime program.

More than 200 national CERT teams were also alerted.

What Organizations Must Learn Tycoon 2FA case

The Tycoon 2FA case highlights important lessons about modern phishing threats. Organizations should focus on:

✅ Stronger Authentication

• Deploy phishing-resistant MFA such as FIDO2 security keys

✅ Session Security

• Reduce session lifetimes
• Enable continuous authentication checks

✅ Threat Intelligence

• Deploy indicators of compromise (IOCs) in network defenses

✅ Security Monitoring

• Detect adversary-in-the-middle proxy infrastructure
• Monitor for stolen authentication tokens

The Bigger Cybersecurity Lesson About the Modern Cybercrime

The disruption of Tycoon 2FA slowed one of the largest phishing-as-a-service operations, but it does not eliminate the threat. Phishing platforms can quickly reappear under new infrastructure.

This case shows that modern cybercrime operates like a service economy, where attackers buy ready-made tools instead of building them. For organizations, the key priority is clear: Strengthen identity security and assume that attackers will continue targeting authenticated sessions, not just passwords.

Is Your Organization Prepared for AiTM Phishing Attacks?

Modern phishing kits can bypass Multi-Factor Authentication using techniques like Adversary-in-the-Middle. If your organization relies only on passwords and traditional MFA, you may still be at risk.

Talk to Prime Infoserv today to evaluate your security posture and build stronger protection against identity-based cyber threats. Call us : +91 9147712576 or mail: info@primeinfoserv.com