On March 4, 2026, Europol announced the technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. Law enforcement authorities from six countries worked with industry partners to seize 330 domains that formed the platform’s core infrastructure.
Infrastructure takedowns are a challenging and important aspect of adversary disruption and a centerpiece of law enforcement and private sector cooperation in cybersecurity. In situations where direct physical enforcement actions such as arrests are infeasible, disrupting bad actors’ operational means can often be the most efficacious and direct way to impose costs on criminals who otherwise act with relative impunity. Nonetheless, law enforcement bodies and their industry partners often go into these technically complicated efforts knowing full well that adversaries are resilient and will likely ultimately overcome or circumvent technical disruptions and reemerge as threats once again.
CrowdStrike applauds Europol and its partners in their disruption efforts against Tycoon2FA. CrowdStrike has often joined law enforcement partners in conducting similar disruption efforts and will continue to do so in the future. As a part of this collaborative spirit, CrowdStrike also stands ready to help provide visibility into the efficacy of disruption operations and help provide “long-tail support” to its customers and the public when criminals attempt to reconstitute their infrastructure in the wake of disruptions.
Since the date of the Tycoon2FA takedown, the CrowdStrike Falcon® Complete Next-Gen MDR team and CrowdStrike Counter Adversary Operations team observed a short-term decrease in the volume of Tycoon2FA campaign activity; however, the volume of cloud compromises has since increased to levels previously observed by Falcon Complete. This resumed campaign volume – and the continuation of previously observed Tycoon2FA tactics, techniques, and procedures (TTPs) – suggests the actors responsible for the PhaaS are likely to remain active in the threat landscape in the short to medium term and warrant continued vigilance by defenders.
Tycoon2FA is a clear example of how today’s adversaries operate; they are highly adaptive, technically capable, and persistent in pursuing their objectives. Even as the threat landscape shifts, actors behind platforms like these continue to evolve their TTPs and find ways to maintain pressure on defenders. Staying ahead of that persistence requires continuous visibility across the full attack surface, the ability to correlate signals across domains in real time, and the expertise to act on them decisively. The AI-native CrowdStrike Falcon® platform and the expert defenders in Counter Adversary Operations and Falcon Complete give organizations the speed and depth of coverage needed to detect, disrupt, and respond before adversaries achieve their objectives.
Impact of the Disruption
Tycoon2FA began its operations in 2023 and provided a subscription-based toolkit that intercepted live authentication sessions using adversary-in-the-middle (AITM) techniques. In mid-2025, the platform was responsible for 62% of all phishing attempts blocked by Microsoft; Tycoon2FA purportedly generated more than 30 million malicious emails in a single month. Given this prominence, the attempt at disrupting the tool was notable as an effort by law enforcement to disrupt a key component of the PhaaS ecosystem.
The March 4th Tycoon2FA disruption was the result of coordinated action between Europol’s European Cybercrime Centre (EC3) and law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom, alongside industry partners. The coordinated effort targeted 330 domains comprising the platform’s infrastructure. Additional actions against the individuals related to the PhaaS operation have not yet been reported.
This Tycoon2FA takedown follows law enforcement’s September 2025 targeting of RaccoonO365, which operated as Tycoon2FA’s primary competitor and also enabled threat actors (with minimal technical expertise) to conduct sophisticated phishing campaigns.
Falcon Complete observed numerous Tycoon2FA incidents in 2024, 2025, and 2026, with TTPs that include:
- Using phishing emails to direct victims to Tycoon2FA CAPTCHA pages
- Stealing victims’ session cookies upon CAPTCHA validation
- Extracting victims’ email addresses via a JavaScript (JS) file
- Populating fake Microsoft 365 or Google login pages, which are hosted on a Tycoon2FA domain
- Proxying victims’ credentials to a legitimate Microsoft 365 cloud account via an obfuscated JS file
- Authenticating to the victim’s cloud environment using the stolen cookies and credentials
How the Platform Operated
Tycoon2FA provided subscribers with a web-based control panel to configure phishing campaigns. This included templates, redirect chains, and credential harvesting mechanisms.
Core capabilities included:
- Custom phishing templates mimicking trusted login pages
- Session cookie interception during authentication
- Real-time credential relay to legitimate services
- Campaign tracking dashboards for attackers
- Automated infrastructure rotation to evade detection
Attackers could configure phishing flows that mimicked legitimate login experiences, including CAPTCHA challenges and MFA prompts, increasing the likelihood of success.
Example phishing page and authentication flow.
Understanding Tycoon2FA
First observed in 2023, Tycoon2FA rapidly became a dominant phishing-as-a-service platform, lowering the barrier to entry for cybercriminals by providing ready-to-use phishing infrastructure.
The platform enabled adversary-in-the-middle (AiTM) attacks, allowing attackers to intercept authentication flows in real time and bypass MFA protections.
Campaigns using Tycoon2FA targeted a wide range of industries including finance, healthcare, education, and government, often impersonating trusted services such as Microsoft 365, Gmail, and cloud platforms.
Defense Evasion Techniques
Tycoon2FA stood out for its advanced evasion capabilities. It continuously adapted its infrastructure and techniques to avoid detection.
- Dynamic CAPTCHA challenges to block automated analysis
- Heavy JavaScript obfuscation and randomized code
- Browser fingerprinting and geolocation filtering
- Detection of security tools and sandbox environments
- Multi-layer redirect chains using legitimate services
These techniques made traditional detection methods less effective, requiring more advanced behavioral and real-time analysis approaches.
Resurgence and Ongoing Threat
Following the disruption, Tycoon2FA activity dropped briefly but returned to previous levels within days. Attack techniques and infrastructure patterns remained largely unchanged.
Threat actors continued to leverage:
- Business email compromise (BEC) campaigns
- Cloud account takeovers
- Malicious redirect chains
- Compromised legitimate services
This rapid recovery highlights the resilience and adaptability of modern phishing ecosystems.
Outlook
While Tycoon2FA continues to operate after the temporary disruption of its infrastructure by the coordinated industry and law enforcement operation, CrowdStrike nonetheless applauds the efforts by Europol and its partners to disrupt this threat actor’s operations.
When cross-domain disruption avenues are unavailable to law enforcement bodies, infrastructure disruption – even if only temporary – can serve to frustrate, slow down, and confuse adversaries. As recovery from such disruptions occurs, CrowdStrike and other industry partners must stand ready to orient themselves to the evolving nature of these threats.
Falcon Complete continues to detect and prevent threats such as those described in this blog at the phishing, DNS resolution, cloud authentication, and BEC Exchange inbox level through CrowdStrike Falcon® Next-Gen SIEM and the Falcon platform. Threat actors like those who operate Tycoon2FA likely readily adapt to disruptions by developing rapid recovery mechanisms and leveraging jurisdictional safe havens to maintain operations. It is also highly likely that the operators will continue to evolve TTPs to try to evade detection and defenders, including the use of new ASNs. Customers of the Tycoon2FA phish kit continue to transmit emails with successful compromises, which requires enterprises to continue to employ defense-in-depth approaches to combat AITM PhaaS actors in the threat landscape.
Staying ahead of adversaries requires continuous visibility across the full attack surface, real-time signal correlation across domains, and the expertise to act decisively. In the face of resilient adversaries who work to mitigate the impacts of disruption efforts, CrowdStrike combines its AI-native platform with expert human defenders in Counter Adversary Operations and Falcon Complete to empower organizations to stay ahead of threats, effectively disrupting and neutralizing attacks before adversaries can achieve their objectives.
Additional Resources
- Visit the Counter Adversary Operations webpage to learn about CrowdStrike’s threat intelligence and hunting solutions.
- Learn how Falcon Complete helps stop breaches faster.
- Read the CrowdStrike 2026 Global Threat Report for the latest insights on adversaries, tradecraft, and activity.
Contact:
sales-bnl@ignition-technology.eu
