Cybersecurity Blogs and Articles
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Tuesday recap

NewsDealsSocialBlogsVideosPodcasts
HomeTechnologyCybersecurityBlogsLaw Enforcement Disrupted Tycoon 2FA Phishing-as-a-Service Platform
Law Enforcement Disrupted Tycoon 2FA Phishing-as-a-Service Platform
CybersecurityDefense

Law Enforcement Disrupted Tycoon 2FA Phishing-as-a-Service Platform

•March 10, 2026
Security Affairs
Security Affairs•Mar 10, 2026
0

Key Takeaways

  • •Tycoon 2FA generated 62% of Microsoft‑blocked phishing
  • •Over 30 million phishing emails sent in a single month
  • •Service targeted 500,000+ organizations worldwide each month
  • •Phishing kit used PDF, QR code, and URL rotation
  • •Disruption removes major pipeline for account takeover attacks

Summary

Law enforcement, led by Microsoft and Europol, dismantled the Tycoon 2FA phishing‑as‑a‑service platform that was responsible for tens of millions of fraudulent emails each month. By mid‑2025 the service accounted for roughly 62% of all phishing attempts blocked by Microsoft, delivering over 30 million emails in a single month and targeting more than 500,000 organizations worldwide. The operation was used by thousands of cybercriminals to impersonate users and compromise Microsoft 365, Outlook, Gmail, and other services. Disabling the infrastructure cuts off a major pipeline for account takeovers, data theft, ransomware, and financial fraud.

Pulse Analysis

Phishing‑as‑a‑service (PhaaS) platforms have transformed credential theft from opportunistic attacks into scalable, commercial operations. Tycoon 2FA epitomized this shift, offering a turnkey kit that combined PDF attachments, QR codes, and sophisticated URL‑rotation techniques to evade detection. By exploiting open‑redirect vulnerabilities and leveraging Cloudflare Workers for host obfuscation, the service could flood inboxes with tailored lures, accounting for roughly 62% of the phishing volume Microsoft blocked in 2025. Its reach—over 500,000 organizations and 96,000 distinct victims—underscored how PhaaS can amplify the impact of even modest cyber‑crime groups.

The takedown was a coordinated effort involving Microsoft’s threat intelligence, Europol’s cybercrime unit, and industry partners such as Resecurity, which had acquired access to the platform’s backend. By seizing command‑and‑control servers and dismantling the URL‑rotation infrastructure, investigators halted the flow of malicious emails and forced the rapid decommissioning of the kit’s Cloudflare‑based proxies. This operation demonstrated the power of public‑private collaboration, where real‑time intelligence sharing and joint legal actions can disrupt a service that previously operated with near‑impunity. The technical forensic work also revealed a pattern of continuous kit updates, highlighting the adaptive nature of modern phishing tools.

The disruption sends a clear signal to the cyber‑crime ecosystem: large‑scale PhaaS operations are vulnerable to coordinated takedowns, especially when defenders unite across borders and sectors. Organizations should now reassess their email security posture, emphasizing advanced threat protection, user education on phishing vectors like QR codes, and monitoring for open‑redirect abuse. As attackers pivot to new delivery mechanisms, the industry must invest in threat‑intel sharing platforms and rapid response frameworks to stay ahead of evolving phishing tactics, ensuring that the breach‑prevention gap continues to narrow.

Law enforcement disrupted Tycoon 2FA phishing-as-a-service platform

Read Original Article

Comments

Want to join the conversation?