A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol.
Tycoon 2FA was designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers.
Active since at least August 2023, Tycoon 2FA was among the largest phishing operations worldwide. By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft.
330 domains formed the core infrastructure of Tycoon 2FA, a criminal service used to bypass multi-factor authentication, including phishing pages and control panels.
Tycoon 2FA enabled thousands of cybercriminals to covertly access email and cloud-based service accounts. At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorised access to nearly 100 000 organisations globally, including schools, hospitals, and public institutions.
Details of the takedown operation
The action was carried out by law enforcement partners and private sector stakeholders working hand in hand, coordinated by Europol’s European Cybercrime Centre (EC3). Europol acted as the central hub between private partners and investigators, ensuring intelligence was shared with affected countries and translated into coordinated operational action.
The investigation began after intelligence was shared by Trend Micro. Europol disseminated this information through its EC3 Advisory Groups and operational networks, enabling a coordinated operational strategy to be developed. A number of Advisory Group members were subsequently brought into the investigation to support the disruption effort.
Through Europol’s Cyber Intelligence Extension Programme (CIEP), Microsoft and Trend Micro worked alongside law enforcement authorities, providing technical expertise and infrastructure analysis.
The technical disruption was led by Microsoft with the support of a coalition of private partners, while seizure of infrastructure and other operational measures were carried out by law enforcement in Latvia, Lithuanian, Portugal, Poland, Spain, and the United Kingdom – all of this coordinated by Europol.
Why it matters
The byword here is collaboration. Europol’s Cyber Intelligence Extension Programme (CIEP) strengthens public-private cooperation in tackling cybercrime by enabling private-sector partners to contribute actionable intelligence to support operational outcomes.
This Europol programme – a first of its kind – brings together experts from the private sector to work temporarily side by side in The Hague on specific projects with EC3 analysts and investigators.
Through this framework, Europol facilitates collaboration between industry and Member State authorities by:
- supporting cross-border disruption of criminal infrastructure;
- enabling operational deconfliction;
- ensuring timely intelligence sharing on emerging threats and criminal methods.
By deepening trusted public-private collaboration, the programme reinforces a collective approach that is essential to achieving disruption at scale and shaping the future response to cybercrime.
Further reading
Global phishing-as-a-service platform taken down in coordinated public-private action. Press release. March 4, 2026. EUROPOL
