{"id":19485,"date":"2026-04-13T10:25:08","date_gmt":"2026-04-13T10:25:08","guid":{"rendered":"https:\/\/www.ignition-technology.com\/benelux\/?p=19485"},"modified":"2026-04-13T10:25:08","modified_gmt":"2026-04-13T10:25:08","slug":"tycoon2fa-phishing-as-a-service-platform-persists-following-takedown","status":"publish","type":"post","link":"https:\/\/www.ignition-technology.com\/benelux\/blog\/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown\/","title":{"rendered":"Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown"},"content":{"rendered":"
\n

On March 4, 2026, Europol\u00a0announced<\/a>\u00a0the technical disruption of\u00a0Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. Law enforcement authorities from six countries worked with industry partners to seize 330 domains that formed the platform\u2019s core infrastructure.<\/p>\n

Infrastructure takedowns are a challenging and important aspect of adversary disruption and a centerpiece of law enforcement and private sector cooperation in cybersecurity. In situations where direct physical enforcement actions such as arrests are infeasible, disrupting bad actors’ operational means can often be the most efficacious and direct way to impose costs on criminals who otherwise act with relative impunity. Nonetheless, law enforcement bodies and their industry partners often go into these technically complicated efforts knowing full well that adversaries are resilient and will likely ultimately overcome or circumvent technical disruptions and reemerge as threats once again.<\/p>\n

CrowdStrike applauds Europol and its partners in their disruption efforts against\u00a0Tycoon2FA. CrowdStrike has often joined law enforcement partners in conducting similar disruption efforts and will continue to do so in the future. As a part of this collaborative spirit, CrowdStrike also stands ready to help provide visibility into the efficacy of disruption operations and help provide “long-tail support” to its customers and the public when criminals attempt to reconstitute their infrastructure in the wake of disruptions.<\/p>\n

Since the date of the Tycoon2FA takedown, the CrowdStrike Falcon\u00ae Complete Next-Gen MDR team and CrowdStrike Counter Adversary Operations team observed a short-term decrease in the volume of Tycoon2FA campaign activity; however, the volume of cloud compromises has since increased to levels previously observed by Falcon Complete. This resumed campaign volume – and the continuation of previously observed Tycoon2FA tactics, techniques, and procedures (TTPs) – suggests the actors responsible for the PhaaS are likely to remain active in the threat landscape in the short to medium term and warrant continued vigilance by defenders.<\/p>\n

Tycoon2FA\u00a0is a clear example of how today’s adversaries operate; they are highly adaptive, technically capable, and persistent in pursuing their objectives. Even as the threat landscape shifts, actors behind platforms like these continue to evolve their TTPs and find ways to maintain pressure on defenders. Staying ahead of that persistence requires continuous visibility across the full attack surface, the ability to correlate signals across domains in real time, and the expertise to act on them decisively. The AI-native CrowdStrike Falcon\u00ae platform and the expert defenders in Counter Adversary Operations and Falcon Complete give organizations the speed and depth of coverage needed to detect, disrupt, and respond before adversaries achieve their objectives.<\/p>\n

\n

Impact of the Disruption<\/h2>\n

Tycoon2FA\u00a0began its operations in 2023 and provided a subscription-based toolkit that intercepted live authentication sessions using adversary-in-the-middle (AITM) techniques. In mid-2025, the platform was responsible for 62% of all phishing attempts blocked by\u00a0Microsoft<\/a>;\u00a0Tycoon2FA\u00a0purportedly generated more than 30 million malicious emails in a single month. Given this prominence, the attempt at disrupting the tool was notable as an effort by law enforcement to disrupt a key component of the PhaaS ecosystem.<\/p>\n

The March 4th\u00a0Tycoon2FA\u00a0disruption was the result of coordinated action between Europol\u2019s European Cybercrime Centre (EC3) and law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom, alongside industry partners. The coordinated effort targeted 330 domains comprising the platform\u2019s infrastructure. Additional actions against the individuals related to the PhaaS operation have not yet been reported.<\/p>\n

This\u00a0Tycoon2FA\u00a0takedown follows law enforcement\u2019s September 2025 targeting of\u00a0RaccoonO365, which operated as\u00a0Tycoon2FA\u2019s primary competitor and also enabled threat actors (with minimal technical expertise) to conduct sophisticated phishing campaigns.<\/p>\n

Falcon Complete observed numerous Tycoon2FA incidents in 2024, 2025, and 2026, with TTPs that include:<\/p>\n