Tycoon 2FA remains operational despite an international takedown and quickly returned to pre-disruption levels. The subscription-based PhaaS has generated over 30 million malicious emails monthly, was linked to roughly 96,000 victims, and accounted for 62% of Microsoftβs blocked phishing attempts in 2025. #Tycoon2FA #CrowdStrike
Keypoints
- Tycoon 2FA continued operating and recovered to pre-takedown volumes shortly after the disruption.
- The service is subscription-based and produced over 30 million malicious emails per month, impacting about 96,000 victims.
- Europol, Microsoft, and partners seized 330 domains and pursued legal action, but the operation only temporarily reduced activity.
- Attack TTPs remain unchanged, including malicious CAPTCHA pages, session cookie theft, JavaScript credential proxying, and cloud account takeover.
- The takedown likely disrupted customers and harmed the PhaaSβs reputation, yet attackers quickly obtained new domains and IPs to resume campaigns.
Read More: https://www.securityweek.com/tycoon-2fa-fully-operational-despite-law-enforcement-takedown/