Coinbase, Microsoft & Europol Take Down Tycoon 2FA Phishing

Coinbase, Microsoft, and Europol have jointly dismantled the core infrastructure behind Tycoon 2FA, one of the largest phishing-as-a-service platforms in operation. Europol confirmed on Wednesday that the coordinated effort shut down a criminal toolkit responsible for bypassing multi-factor authentication protections at scale, marking a major victory against credential theft.

Coalition Blocks 330 Domains Linked to Tycoon 2FA

The joint operation resulted in Microsoft blocking 330 domains tied to the phishing platform, while law enforcement agencies seized additional critical infrastructure. Financial investigation played a central role, with Coinbase revealing that it tracked blockchain-based transactions used to fund the service.

Through that tracing work, Coinbase helped uncover the identity of the platform's alleged administrator along with its buyers. The exchange stated that dismantling Tycoon's core systems eliminates a major pipeline for credential theft and initial access, forcing criminals to rebuild from scratch while taking on greater risk.

By mid-2025, Tycoon 2FA accounted for 62% of all phishing attempts that Microsoft intercepted, including more than 30 million malicious emails in a single month, according to Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit. Masada noted the platform had been operational since at least 2023.

Taking Tycoon's core infrastructure offline cuts off a major pipeline for credential theft and initial access, and forces criminals to rebuild, retool, and take on more risk.

— Coinbase, Official Statement

How Did Tycoon 2FA Bypass Multi-Factor Authentication?

Tycoon 2FA is a phishing-as-a-service platform that gave cybercriminals ready-made tools to defeat MFA protections. Its toolkit featured spoofed landing pages engineered to harvest user credentials from legitimate websites. The platform also captured session cookies and authentication tokens generated during the login process, according to Coinbase.

When a user authenticates with MFA, the system issues a session token stored in the browser as proof of identity. By stealing that token, attackers could impersonate the victim and gain full access without needing the second authentication factor. Coinbase described this combination of high-fidelity lures and session-token theft as a reliable on-ramp for account takeovers, business email compromise, invoice fraud, and social engineering.

Masada explained that the platform lowered the technical barrier to entry, enabling criminals with limited expertise to launch sophisticated impersonation attacks. Industries spanning healthcare to education fell victim, resulting in rerouted invoices, stolen sensitive data, locked networks, and disruptions to patient care.

Phishing Remains a Persistent Crypto Threat in 2026

Phishing attacks ranked as the second-largest threat to the crypto industry in 2025, costing investors $722 million across 248 incidents, according to blockchain security firm CertiK. A PeckShield spokesperson confirmed on Monday that phishing continues to pose a persistent danger heading into 2026, underscoring the need for coordinated disruption efforts like the Tycoon takedown.

Masada emphasized that removing the infrastructure prevents downstream crimes. He stated that the operation protects individuals and organizations from follow-on attacks including data theft, ransomware, business email compromise, and financial fraud. The takedown sends a clear signal that phishing-as-a-service operators face real consequences when technology companies and law enforcement collaborate.

By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns.

— Steven Masada, Assistant General Counsel, Microsoft Digital Crimes Unit