news

Coinbase, Microsoft and Europol Shut Down Major Tycoon 2FA Phishing Network

Nahid
Published: March 5, 2026
5 min read
Coinbase, Microsoft and Europol Shut Down Major Tycoon 2FA Phishing Network

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Facebook
Instagram
LinkedIn
YouTube

Summary:

  • Coinbase, Microsoft and Europol helped take down Tycoon 2FA, a large phishing-as-a-service platform.
  • Microsoft blocked 330 domains linked to the operation, while law enforcement seized key infrastructure.
  • By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft.
  • The toolkit enabled attackers to bypass multi-factor authentication and target nearly 100,000 organizations worldwide.

A coordinated effort between major technology firms and international law enforcement agencies has dismantled the core infrastructure behind Tycoon 2FA, one of the world's largest phishing-as-a-service platforms. In a statement published Wednesday, Europol confirmed that the operation targeted domains and systems used to power the platform . Microsoft played a key role in blocking 330 domains linked to Tycoon 2FA, while law enforcement authorities seized additional infrastructure central to the service's operations. The coalition included private sector partners such as Coinbase, Cloudflare, Intel471, Proofpoint, Shadowserver Foundation, SpyCloud and Trend Micro. Europol acted as the coordination hub, connecting private cybersecurity teams with investigators across multiple countries to ensure intelligence sharing and operational action.

Source

Participating law enforcement authorities came from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom, reflecting the cross-border nature of the threat. Tycoon 2FA had been active since at least August 2023. During that time, it became one of the largest phishing operations worldwide, offering subscription-based tools that enabled cybercriminals to conduct large-scale credential-harvesting campaigns. At its peak, the platform generated tens of millions of phishing emails each month.  According to Europol, it facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals and public institutions. By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft. In a single month alone, Microsoft reported blocking more than 30 million phishing emails linked to the service.

How Tycoon 2FA Bypassed Multi-Factor Authentication

Tycoon 2FA especially made it dangerous was its ability to bypass multi-factor authentication (MFA), a security measure widely used to protect online accounts. Phishing typically involves tricking users into entering their login credentials on fake websites that mimic legitimate services. Tycoon 2FA elevated this tactic by providing highly convincing spoofed landing pages that resembled trusted platforms such as Microsoft 365 and other cloud-based services. In a statement, Coinbase described its role in the disruption effort:

"we partnered with Microsoft to take action against Tycoon 2FA ("Tycoon"), a phishing-as-a-service platform that enabled threat actors to run highly convincing credential-harvesting campaigns using login pages designed to mimic trusted email and online services like Microsoft 365." Source 

Beyond capturing usernames and passwords, Tycoon's toolkit was engineered to intercept session cookies and authentication tokens. When a user successfully logs in with MFA, the system generates a session token that acts as proof of authentication and is stored in the browser. If attackers steal that token, they can effectively bypass MFA without needing the second authentication factor again. This method allowed cybercriminals to gain covert access to email accounts and cloud-based systems, even when victims had enabled additional security layers. The scale of the operation is striking. Tycoon 2FA lowered the technical barrier for cybercrime by offering ready-made tools to thousands of threat actors. Criminals could subscribe to the service and launch campaigns quickly.

The consequences were felt across sectors. Schools, hospitals, businesses and public institutions were among the nearly 100,000 organizations impacted worldwide. Phishing continues to pose a serious risk to the crypto sector as well. Blockchain security firm CertiK identified phishing scams as the second-largest threat in 2025, reporting $722 million in losses across 248 incidents. For crypto platforms, where account access directly translates to asset control, bypassing MFA can lead to immediate financial damage.

Public-Private Cooperation as a Cybersecurity Model

The takedown of Tycoon 2FA highlights the growing importance of collaboration between technology companies and law enforcement agencies. Europol described its role as a central hub, ensuring intelligence from private partners was shared with affected countries and translated into coordinated action. By pooling technical expertise and investigative authority, the coalition was able to disrupt infrastructure that operated across multiple jurisdictions. This model of public-private cooperation has become increasingly necessary as cyber threats evolve. 

Phishing-as-a-service platforms like Tycoon 2FA operate globally, using domain registrations, hosting providers and payment systems spread across different regions. No single organization can address such threats alone. For companies like Microsoft and Coinbase, proactive disruption of phishing networks also protects their users and brand ecosystems. Blocking domains and identifying malicious infrastructure can prevent harm before it spreads further.While the dismantling of Tycoon 2FA represents a significant step, cybersecurity experts caution that phishing remains one of the most persistent online threats. The tools used by Tycoon are widely understood within cybercrime circles, and similar services may attempt to fill the gap.

Still, removing a platform responsible for more than half of Microsoft's blocked phishing attempts by mid-2025 sends a strong signal. It demonstrates that coordinated action can disrupt even large-scale criminal networks.

Closing Thoughts 

As digital services continue to expand and authentication systems evolve, the battle between attackers and defenders will likely intensify. For now, the takedown of Tycoon 2FA stands as a reminder that sustained collaboration between technology firms and law enforcement remains one of the most effective defenses against global cybercrime.

 

Related Topics

#Coinbase#Microsoft#Europol#Phishing Network#Tycoon 2FA

About the Project

Crypto News

About the Author

Nahid

Nahid

Nahid is a contributor at CotiNews from Bangladesh, covering developments across the COTI ecosystem. His work focuses on breaking down complex updates, technical concepts, and ecosystem news into clear, accessible stories for a wider audience.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.