SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Logos
#
Ransomware
#
Manufacturing
#
MFA

Tycoon 2FA phishing service disrupted in EU crackdown

Fri, 6th Mar 2026
Author image
By Sean Mitchell, Publisher

A coalition of technology companies, security firms and European law enforcement agencies has disrupted infrastructure linked to Tycoon 2FA, a phishing-as-a-service platform used to steal account credentials and bypass multi-factor authentication.

The operation involved partners from the private sector and public bodies, including Microsoft, Europol and several cyber security and internet infrastructure organisations. Authorities in multiple European countries seized servers and took other measures against domains linked to the service.

Tycoon 2FA is an adversary-in-the-middle phishing kit that captures usernames and passwords and collects session cookies from services such as Microsoft 365 and Gmail. Attackers can reuse those cookies to sign in as a victim without completing a new multi-factor authentication challenge, leading to full account takeover and unauthorised access to cloud services and internal systems.

Threat researchers describe Tycoon 2FA as one of the most widely used services of its type. Proofpoint called it the highest-volume adversary-in-the-middle phishing threat in its data, and in February 2026 it observed more than three million messages associated with Tycoon 2FA activity.

How the kit works

The platform relies on attacker-controlled infrastructure that hosts phishing pages and proxies logins in real time. Victims are redirected to actor-controlled pages that impersonate familiar sign-in portals, often with a CAPTCHA before a Microsoft or Google login screen appears. The aim is to make the login seem normal while the service relays the victim's inputs to the legitimate site.

After the victim signs in, the proxy captures the session cookie. That cookie gives the attacker continued access to the account even when multi-factor authentication is enabled, a technique that remains a persistent risk for organisations that rely on MFA as a primary defence against credential theft.

Proofpoint reported that in 2025, 99% of organisations experienced account takeover attempts and 67% suffered a successful takeover, with 59% of compromised accounts having MFA enabled. The figures reflect a broad set of intrusions, not only those linked to Tycoon 2FA.

Researchers say Tycoon 2FA has been sold since 2023 and marketed through Telegram channels. Buyers pay for access and customise lures and pages for their campaigns, reusing the kit during the subscription period. That lowers barriers for threat actors who do not build their own tools.

Distribution at scale

Email remains a primary distribution channel. Campaigns tracked by security teams have used links, QR codes, SVGs and attachments containing URLs. Some emails originate from compromised accounts to make lures seem more credible.

Researchers have also tracked a technique they call "ATO Jumping", in which attackers compromise an initial account and then use it to send additional phishing messages containing Tycoon 2FA links. Because the messages appear to come from trusted contacts, they can increase click-through rates and the likelihood of further compromises.

Tycoon 2FA campaigns have targeted a wide range of sectors. Proofpoint reported distribution via compromised accounts in legal, real estate, healthcare, government, education, construction and technology, as well as personal webmail. In its dataset, technology, financial services, business services, manufacturing, healthcare and government appeared most frequently among targets.

Microsoft has linked the kit to a large pool of victims, saying Tycoon 2FA enabled cybercriminals to access almost 100,000 organisations, including schools, hospitals, non-profits and public institutions.

Disruption action

The latest disruption combined technical and legal measures. Microsoft seized 330 control panel domains associated with Tycoon 2FA, with seized domains displaying a splash page indicating action against the service's infrastructure.

Law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom carried out seizures and other operational steps in coordination with Europol. Private sector participants included Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud and TrendAI, alongside Proofpoint and Microsoft.

Microsoft and Health-ISAC also filed a lawsuit naming the alleged creator, Saad Fridi, and unnamed associates. The case was filed in the US Southern District of New York. Proofpoint supported the action with information on malicious domains and campaign infrastructure, as well as a declaration relating to Tycoon 2FA activity.

The disruption is expected to affect both the service and the threat actors who relied on it. Such campaigns often serve as a first step in broader criminal activity: account takeovers can lead to data theft, unauthorised access to corporate systems and follow-on malware attacks, including ransomware.

"The Tycoon 2FA disruption and associated lawsuit naming the creator will have a significant impact on Tycoon 2FA, related infrastructure, and threat actor activity," Proofpoint said.
Related stories
CommBank deploys AI to spot emerging fraud patterns
Commvault extends Clumio support to Google Cloud Storage
Commvault brings cloud resilience tools to Google Cloud
Semperis expands Purple Knight for government clouds
Wiz expands AI security coverage across cloud & edge

Top stories

Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks