International law enforcement agencies have dismantled a major phishing-as-a-service platform used to target hundreds of thousands of accounts worldwide, including those tied to hospitals and schools, Europol said Wednesday.
The service, known as Tycoon 2FA, offered criminals a ready-made toolkit for stealing login credentials and bypassing multi-factor authentication, allowing attackers to access accounts even when additional security checks were enabled.
Authorities disrupted the operation by seizing 330 domains used to host phishing sites and operate the platform’s infrastructure. Active since 2023, Tycoon 2FA sent tens of millions of phishing emails each month and targeted more than 500,000 organizations worldwide.
Healthcare and education organizations were among the hardest hit.
Microsoft said more than 100 members of Health-ISAC, a cybersecurity information-sharing group for the health sector, were successfully phished. In New York alone, at least two hospitals, six public schools and three universities reported attempted or successful compromises tied to Tycoon 2FA.
“These incidents had tangible consequences,” Microsoft stated, with compromised accounts leading to operational disruptions and delays in patient care.
Unlike conventional phishing kits that simply harvest passwords, Tycoon 2FA was designed to defeat strong security protections. The service intercepted authentication sessions in real time, capturing both login credentials and one-time verification codes. This allowed attackers to log in as legitimate users without triggering security alerts.
The platform also lowered the barrier to cybercrime by packaging sophisticated phishing tools into a subscription-based service. At its peak, Tycoon 2FA accounted for about 62% of all phishing attempts blocked by Microsoft.
“Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow-on attacks such as data theft, ransomware, business email compromise and financial fraud,” the company said.
Authorities believe the service’s developer is based in Pakistan and worked with partners responsible for marketing, payments and customer support. Cybercriminals often paired Tycoon 2FA alongside other illicit services that handled mass email distribution, malware hosting and the resale of stolen account access to conduct high-scale cybercrime campaigns.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
