Cyber: Europol-led Operation Takes Down Tycoon 2fa Phishing-as-a-service...

Tycoon 2FA, one of the prominent phishing-as-a-service (PhaaS) toolkits that allowed cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale, was dismantled by a coalition of law enforcement agencies and security companies.

The subscription-based phishing kit, which first emerged in August 2023, was described by Europol as one of the largest phishing operations worldwide. The kit was available for a starting price of $120 for 10 days or $350 for access to a web-based administration panel for a month.

The panel serves as a hub for configuring, tracking, and refining campaigns. It features pre‑built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking. Operators can also configure how the malicious content is delivered through attachments, as well as keep tabs on valid and invalid sign-in attempts.

"It enabled thousands of cybercriminals to covertly access email and cloud-based service accounts," Europol said. "At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions."

As part of the coordinated effort, 330 domains that formed the backbone of the criminal service, including phishing pages and control panels, have been taken down.

Characterizing Tycoon 2FA as "dangerous," Intel 471 said the kit was linked to over 64,000 phishing incidents and tens of thousands of domains, generating tens of millions of phishing emails each month. According to Microsoft, which is tracking the operators of the service under the name Storm-1747, Tycoon 2FA became the most prolific platform observed by the company in 2025, blocking more than 13 million malicious emails linked to the crimeware service.

Data from Proofpoint shows that Tycoon 2FA accounted for the highest volume AiTM phishing threats. The email security company said it observed over three million messages associated with the phishing kit in February 2026 alone. Trend Micro, which was one of the private sector partners in the operation, noted that the PhaaS platform had approximately 2,000 users.

Campaigns leveraging Tycoon 2FA have indiscriminately targeted almost all sectors, including education, healthcare, finance, non-profit, and government. Phishing emails sent from the kit reached over 500,000 organizations each month worldwide.

"Tycoon 2FA's p

Source: The Hacker News