Europol-Led Operation Disrupts Tycoon 2FA Phishing Service
Europol, in collaboration with law enforcement agencies and security companies, has dismantled Tycoon 2FA, a prominent phishing-as-a-service (PhaaS) toolkit. This subscription-based service, which first appeared in August 2023, was described by Europol as one of the largest phishing operations worldwide.
Details of the Phishing Kit
Tycoon 2FA offered a web-based administration panel for configuring, tracking, and refining phishing campaigns. The panel included pre-built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking. Operators could also configure how malicious content is delivered through attachments and monitor valid and invalid sign-in attempts.
Impact and Scale of the Operation
The platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions. Microsoft, tracking the operators under the name Storm-1747, reported that Tycoon 2FA became the most prolific platform observed in 2025, blocking more than 13 million malicious emails linked to the crimeware service.
Evolution and Tactics of Tycoon 2FA
Tycoon 2FA employed advanced techniques such as keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages to evade detection. The platform also used a broader mix of top-level domains (TLDs) and short-lived fully qualified domain names (FQDNs) to host the phishing infrastructure on Cloudflare.
Coordinated Effort to Take Down the Service
As part of the coordinated effort, 330 domains that formed the backbone of the criminal service, including phishing pages and control panels, have been taken down. Intel 471 characterized Tycoon 2FA as dangerous, noting that it was linked to over 64,000 phishing incidents and tens of thousands of domains.
Targeting and Implications
Campaigns leveraging Tycoon 2FA have indiscriminately targeted almost all sectors, including education, healthcare, finance, non-profit, and government. Phishing emails sent from the kit reached over 500,000 organizations each month worldwide. Microsoft stated that Tycoon 2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail.
Conclusion
The dismantling of Tycoon 2FA represents a significant blow to cybercriminals who relied on this service to carry out large-scale phishing attacks. However, the ongoing threat of phishing remains, and organizations must remain vigilant to protect against such threats.
元記事: https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html