Tycoon2FA, an underground cyber criminal phishing service that enabled its subscribers to intercept live authentication sessions, capturing credentials, one-time passcodes and active session cookies to bypass multifactor authentication (MFA), has been taken down in a Europol-led operation including the UK’s National Crime Agency (NCA) supported by a coalition of industry partners, including Cloudflare, Microsoft, Proofpoint and Trend Micro’s TrendAI unit. The operation saw 330 domains forming Tycoon2FA’s core infrastructure, such as phishing pages and control panels, taken down by partner agencies in Latvia, Lithuania, Portugal, Poland and Spain.
The sting was the result of a long-term collaborative exercise against Tycoon2FA, which has been active since the summer of 2023. Over the past three-and-a-half years, Tycoon2FA users have leveraged more than 24,000 domains with campaigns primarily targeting Microsoft 365 and Google services, particularly Gmail.
The majority of its victims – just under 52% – were based in the US, with around 8% in the UK, 5% in Germany and 4% in Canada. Over 5,000 victims are known in the UK, according to Microsoft.
“By mid‑2025, Tycoon2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon2FA among the largest phishing operations globally,” said Microsoft Digital Crimes Unit assistant general counsel, Steven Masada.
“Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.
“Healthcare and education organisations were hit hardest,” said Masada. “More than 100 members of Health‑ISAC, a global threat-sharing group for the health sector and a co-plaintiff in this case, were successfully phished. In New York alone, at least two hospitals, six municipal schools, and three universities faced attempted or successful compromise through Tycoon2FA. These incidents had tangible consequences: disrupted operations, diverted resources, and delayed patient care.”
The service was notable for its scale and accessibility, with a ready-to-use toolkit providing buyers with fake login pages, proxy layers and basic campaign tooling, with more recent updates adding evasion features to hinder analysis and response. At the point of the takedown this week, it had about 2,000 active subscribers, each paying approximately $120 for a 10-day licence.
“This was not a single phishing campaign. It was an industrialised service built to make MFA bypass accessible to thousands of criminals,” said Robert McArdle, director for cyber crime research at TrendAI.
“Identity is now the primary attack surface. When session hijacking can be packaged and sold as a subscription, the risk shifts from isolated incidents to systemic exposure,” he added.
McArdle and his colleagues have been extensively researching and tracking Tycoon2FA’s infrastructure and operator behaviour for some time. A breakthrough in their work came in November 2025 when they were able to successfully identify the likely developer and primary operator of the service – an individual using the handles SaaadFridi or Mr_Xaad. The team said this person was actively involved in small-time, hacktivist-style cyber crime, such as website defacement, before moving on to phishing kit development. An individual named as Saad Fridi, alongside four unnamed individuals referred to as John Doe (1-4), have been sued by Microsoft and Health-ISAC today in the US District Court for the Southern District of New York.
“We had been mapping the operators behind Tycoon2FA and their infrastructure for months before disruption. What stood out was the scale and consistency of the patterns. Domains, hosting choices, kit updates and underground support channels all pointed to a coordinated commercial service rather than fragmented campaigns,” McArdle told Computer Weekly.
“Once we had high-confidence attribution and understanding of the scale of the problem, we shared detailed intelligence with Europol to enable action at pace. That kind of operational intelligence is what turns visibility into impact,” he added.
“Flagging this to Europol was not a routine information exchange. It’s the result of sustained tracking, technical validation and careful correlation across multiple data points. When you see a platform actively lowering the barrier for MFA bypass at scale, there is a responsibility to move beyond reporting and help drive disruption of its infrastructure or operators. This is exactly where private sector threat research and law enforcement collaboration has to intersect if we are serious about reducing cyber crime risk, and Europol have long been close partners in that space.”
One among many
Tycoon2FA was just one among many phishing-as-a-service (PhaaS) platforms available to cyber criminals. Other notable active examples include names such as BlackForce, GhostFrame and InboxPrimeAI. The latter uses generative artificial intelligence (GenAI) to mimic human behaviour in its campaigns and is billed as a “programmatic solution” for phishing.
The disruption of Tycoon2FA shows what is possible when intelligence is acted on, not just observed. We will continue to track the actors, the infrastructure and the users behind these services to protect our customers and raise the cost of operating in this ecosystem Robert McArdle, TrendAI
These platforms are sometimes erroneously viewed as secondary to ransomware in the threat they pose, but in real-world situations, they are often used as the initial access point for ransomware gangs, with the credentials and other tokens they steal then sold on the dark web, or passed to initial access brokers (IABs) to monetise.
Tycoon2FA was a particularly acute threat because it substantially lowered the technical barrier to entry and expanded the pool of attackers capable of launching more sophisticated attacks. And while its disruption will be a significant setback for the PhaaS ecosystem, the underlying threat is as real as it ever was.
McArdle said the operation against Tycoon2FA underscored the value of sustained and focused tracking combined with collaboration. Because phishing platforms are themselves transnational and rely on distributed infrastructure to serve users all over the world, the industry must respond in kind, with better visibility and actionable intelligence helping align execution.
The TrendAI team will continue monitoring for any attempts to rebuild or rebrand Tycoon2FA, and is supporting follow-on investigations into the service’s identified users and other administrators.
“The disruption of Tycoon2FA shows what is possible when intelligence is acted on, not just observed,” said McArdle. “We will continue to track the actors, the infrastructure and the users behind these services to protect our customers and raise the cost of operating in this ecosystem.”
Next steps
The takedown of Tycoon2FA demonstrates that MFA alone is insufficient against adversary-in-the-middle (AitM) phishing, so defenders now need to put in some extra work to ward off the threat.
Among other things, security leaders should consider adopting more phishing-resistant authentication mechanisms, with stricter conditional access controls in place.
They may also wish to deploy email and collaboration security technology to detect lateral phishing and brand impersonation, and enable real-time URL inspection and web content analysis to identify fake login infrastructure.
Organisations should also move to continuous monitoring of their identity risk and introduce capabilities that enable them to mount a rapid response should anomalous session behaviour be spotted.
Finally, all these steps should go hand-in-hand with regular phishing simulations and targeted security awareness training for at-risk employees.
