Tycoon2FA phishing platform returns after recent police disruption

Recorded: March 24, 2026, 2:22 a.m.

Original

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

OpenAI rolls out ChatGPT Library to store your personal files

Mazda discloses security breach exposing employee and partner data

Tycoon2FA phishing platform returns after recent police disruption

TeamPCP deploys Iran-targeted wiper in Kubernetes attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityTycoon2FA phishing platform returns after recent police disruption

Tycoon2FA phishing platform returns after recent police disruption

By Bill Toulas

March 23, 2026
05:52 PM
0

The Tycoon2FA phishing-as-a-service (PhaaS) platform that Europol and partners disrupted on March 4 has already returned to previously observed activity levels.
Microsoft led the technical disruption, which involved seizing 330 domains part of Tycoon2FA’s backbone infrastructure that included control panels and phishing pages used in attacks.
However, the disruption caused by the law enforcement was short-lived, as CrowdStrike noticed the cybercrime service return to normal operational volumes within days.
“Falcon Complete observed a short-term decrease in the volume of Tycoon2FA campaign activity following the takedown, with daily volumes on March 4 and March 5, 2026, reducing to 25% of pre-disruption levels,” reads CrowdStrike’s report.
“However, this volume subsequently returned to pre-disruption levels, with daily levels of cloud compromise active remediations returning to early 2026 levels.”
First documented by Sekoia roughly two years ago, Tycoon2FA appeared online as a PhaaS platform dedicated to targeting Microsoft 365 and Gmail accounts, featuring adversary-in-the-middle mechanisms that enable bypassing two-factor authentication (2FA) protections.
A month later, Trustwave reported that Tycoon2FA’s operators were actively improving the platform, adding new, advanced features, and enticing more cybercriminals to purchase access.
Tycoon2FA is a significant actor on the phishing scene, with Microsoft reporting that it generated 30 million phishing emails per month, accounting for 62% of all emails blocked by the tech giant.
According to CrowdStrike, Tycoon2FA is back in business using largely unchanged techniques, tactics, and procedures (TTPs), and supported a diverse set of illegal activities, like business email compromise (BEC), email thread hijacking, cloud account takeovers, and malicious SharePoint links.
After the disruption action, Tycoon2FA has been used in malicious email campaigns that relied on malicious URLs and shortener services, legitimate platforms such as presentation tools, where redirection mechanisms are abused, and also compromised domains.

AI-generated decoy web pages used in Tycoon2FA attacksSource: CrowdStrike
Interestingly, some of the old infrastructure remained active, indicating that the disruption was incomplete, while new phishing domains and IP addresses were registered quickly following the law enforcement operation.
Regarding the observed post-compromise activity, this includes the creation of inbox rules, hidden folders for fraud emails, and preparation for BEC operations.
Ultimately, CrowdStrike comments that, without arrests or physical seizures, it’s easy for cybercriminals to recover and replace the impacted infrastructure. As long as the demand from the phishing ecosystem is high, the motive for PhaaS platform operators remains unchanged.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
Europol-coordinated action disrupts Tycoon2FA phishing platformPolice sinkholes 45,000 IP addresses in cybercrime crackdownPolice arrests 651 suspects in African cybercrime crackdownPolice arrests 300 suspects linked to African cybercrime ringsMicrosoft Azure Monitor alerts abused for callback phishing attacks

Cybercrime
PhaaS
Phishing
Phishing-as-a-Service
Tycoon 2FA

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

Microsoft Azure Monitor alerts abused for callback phishing attacks

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Secure your AI agents without sacrificing speed.

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

Overdue a password health-check? Audit your Active Directory for free

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The Tycoon2FA phishing-as-a-service (PhaaS) platform, initially identified by Sekoia approximately two years prior, has resurfaced following a disruption orchestrated by law enforcement, specifically led by Microsoft. This platform, focused on targeting Microsoft 365 and Gmail accounts, utilizes adversary-in-the-middle techniques to bypass two-factor authentication (2FA) protections. Following a takedown operation that seized 330 domains associated with Tycoon2FA’s infrastructure, the platform swiftly returned to operational volume levels, mirroring pre-disruption activity within days, as observed by CrowdStrike.

According to CrowdStrike’s report, Tycoon2FA continues to employ largely unchanged tactics, techniques, and procedures (TTPs), facilitating activities such as business email compromise (BEC), email thread hijacking, cloud account takeovers, and the dissemination of malicious SharePoint links. The platform’s prolific nature is evidenced by its generation of approximately 30 million phishing emails per month, representing 62% of all emails blocked by Microsoft. Despite the initial disruption, cybercriminals rapidly established new phishing domains and IP addresses, indicating a partial effectiveness of the takedown.

Post-compromise activity observed by CrowdStrike included the creation of inbox rules, hidden folders optimized for fraudulent email storage, and preparations for BEC operations. Notably, a portion of the original infrastructure remained active, suggesting an incomplete disruption, and highlighting the vulnerability of rapidly evolving cybercriminal operations. The ability of operators to quickly recover and replace compromised infrastructure underscores the inherent challenges in combating PhaaS platforms when faced with sustained demand from the broader phishing ecosystem. The report emphasizes that as long as the need for such services persists, the motivation for operators like Tycoon2FA remains unchanged, creating a persistent threat landscape.