Tycoon 2FA was a subscription-based phishing-as-a-service toolkit that enabled adversary-in-the-middle credential harvesting at scale, capturing credentials, MFA codes, and session cookies to facilitate account takeovers across thousands of organizations. A coordinated law enforcement and private-sector operation disrupted the platform by taking down 330 domains and dismantling the infrastructure behind the service. #Tycoon2FA #Microsoft
Keypoints
- Tycoon 2FA operated as a subscription PhaaS, offering web panels and templates to run AiTM phishing campaigns.
- The toolkit captured credentials, MFA codes, and session cookies, with data downloadable in-panel or relayed via Telegram.
- The platform generated tens of millions of phishing emails and was linked to roughly 96,000 distinct victims and nearly 100,000 affected organizations.
- Operators used advanced evasion techniques, including keystroke logging, browser fingerprinting, short-lived FQDNs, and heavy code obfuscation.
- Law enforcement and security firms disrupted the service by seizing 330 domains and coordinating international takedown efforts.
Read More: https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html