Europol-Coordinated Action Dismantles Tycoon2FA — 330

Europol-Coordinated Takedown Destroys Major MFA-Bypass Phishing Platform

A sweeping international law enforcement and private-sector operation has dismantled Tycoon2FA, one of the most prolific phishing-as-a-service (PhaaS) platforms ever documented. The coordinated action, announced on March 4, 2026, was orchestrated through Europol's Cyber Intelligence Extension Programme (CIEP) with technical disruption executed by Microsoft and a broad coalition of cybersecurity partners.

330 domains — comprising the platform's control panels, reverse-proxy phishing pages, and backend infrastructure — were seized and taken offline. Europol simultaneously coordinated physical operational measures in six countries: Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.

The operation has also identified Saad Fridi, a Pakistani national, as the platform's primary developer and administrator.

Operation at a Glance

Detail	Value
Platform	Tycoon2FA (PhaaS)
Active Since	August 2023
Domains Seized	330
Lifetime Domains Used	24,000+
Platform Subscribers	~2,000
Organizations Targeted Monthly	500,000+
Phishing Volume (Oct 2025 – Jan 2026)	~87.5 million messages
Subscription Price	$120 / 10 days (Telegram)
Attack Type	Adversary-in-the-Middle (AiTM), MFA bypass
Key Suspect	Saad Fridi (Pakistan)
Lead Agency	Europol (CIEP)
Technical Lead	Microsoft
Partner Countries	Latvia, Lithuania, Portugal, Poland, Spain, UK
Action Date	March 4, 2026

What Was Tycoon2FA?

A Subscription Phishing Factory

Tycoon2FA was a fully commoditized phishing-as-a-service platform available on Telegram for as little as $120 for 10 days of access. The subscription model meant even low-skilled criminal actors could launch highly sophisticated, MFA-bypassing phishing campaigns with no technical expertise required — just a subscription and a target list.

Since launching in August 2023, the platform attracted approximately 2,000 active subscribers and churned through more than 24,000 domains to continuously evade blocklists, threat intelligence feeds, and detection tools.

How the Adversary-in-the-Middle (AiTM) Chain Worked

The platform's defining technical capability was its use of adversary-in-the-middle (AiTM) techniques to defeat multi-factor authentication in real time:

Lure delivery: A fraudulent email drives the victim to a convincing phishing page — an exact replica of Microsoft 365, Gmail, or another targeted service
Transparent proxy: The phishing page acts as a live relay, forwarding the victim's credentials to the real service in real time
OTP capture: As the victim completes MFA (entering their one-time passcode), the platform captures it simultaneously
Session cookie theft: The authenticated session cookie generated after successful login is intercepted and forwarded to the attacker
Replay access: Attackers replay the captured session cookie to gain full access to the victim's account — MFA has been completely bypassed

This technique renders SMS-based MFA and TOTP authenticator codes ineffective — the attacker receives the session cookie before the victim even realizes they've been phished.

Scale and Impact

Metric	Value
Organizations targeted monthly	500,000+
Phishing messages (Oct 2025 – Jan 2026)	~87.5 million
Platform lifetime domains	24,000+
Active subscribers at time of takedown	~2,000
Subscription model	$120 / 10 days via Telegram
Primary targets	Microsoft 365, Outlook, Gmail, enterprise SSO

Tycoon2FA was a key enabler of initial access for a wide range of downstream attacks. Compromised credentials and session cookies captured through the platform were used to conduct business email compromise (BEC), wire fraud, ransomware deployment, corporate data theft, and account takeover attacks at scale.

The Coalition Behind the Takedown

Europol's Cyber Intelligence Extension Programme (CIEP) served as the intelligence-sharing and operational coordination hub. The operation was notable for the breadth of its public-private partnership:

Law Enforcement

Europol — coordination and intelligence sharing
National authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom — domain seizures and operational measures

Private Sector Partners

Microsoft — technical lead; court-ordered seizure of 330 domains under U.S. District Court (Southern District of New York) authority
Trend Micro (TrendAI) — threat intelligence and analysis
Cloudflare — infrastructure visibility and disruption support
Proofpoint — email threat intelligence
SpyCloud — credential exposure intelligence
Intel471 — cybercriminal intelligence
Coinbase — financial intelligence related to platform payments
eSentire, Health-ISAC, Crowell, Resecurity, The Shadowserver Foundation — additional intelligence and support roles

Key Suspect

Saad Fridi, identified as the platform's primary developer and administrator, is based in Pakistan. Legal proceedings are ongoing; full arrest or charging details were not confirmed at time of publication.

Recommendations

For Security Teams

Deploy phishing-resistant MFA immediately — migrate away from SMS and TOTP to FIDO2/WebAuthn hardware keys (YubiKey, Titan) or passkeys; these are cryptographically bound to the legitimate origin and cannot be relayed by AiTM proxies
Implement Conditional Access policies — require device compliance, apply impossible travel detection, and flag new device logins even post-MFA
Enable DMARC, DKIM, and SPF enforcement — reduce the volume of fraudulent lure emails reaching users
Deploy email link sandboxing — rewrite and analyze URLs at click-time to block phishing pages even after delivery
Monitor for anomalous session activity — flag logins from new geolocations, device fingerprints, or IP addresses following successful MFA — this can catch session cookie replay in progress
Apply available IOCs — Microsoft and Trend Micro are publishing Tycoon2FA indicators of compromise; apply them across endpoint, network, and email controls

For End Users

Never enter credentials by clicking email links — type URLs directly into your browser or use bookmarks
Use passkeys where available — Apple, Google, and Microsoft passkeys are phishing-resistant by design
Report suspicious authentication prompts immediately to your security team — AiTM attacks often produce subtle visual artifacts
Enable session activity alerts on critical accounts (Microsoft 365, Google Workspace) to catch unauthorized access early

Key Takeaways

Tycoon2FA targeted 500,000+ organizations monthly — the scale of commoditized PhaaS infrastructure demonstrates that phishing is now industrialized crime-as-a-service
87.5 million phishing messages in four months — this volume is only achievable through automated, subscription-based infrastructure like Tycoon2FA
Standard MFA cannot defend against AiTM attacks — TOTP codes and SMS OTPs are capturable in real time; only FIDO2/passkeys are immune
$120 subscriptions democratized sophisticated attacks — removing technical barriers means the criminal market for phishing campaigns expands with each new PhaaS platform
The public-private coalition model is maturing — Europol's coordination of Microsoft, six national law enforcement agencies, and over a dozen private companies represents a scalable, repeatable disruption framework
Platform disruption has limits — 24,000 domains cycled in two years shows the criminal ecosystem's resilience; organizations cannot rely on takedowns as their primary defense

Sources

Europol-Coordinated Takedown Destroys Major MFA-Bypass Phishing Platform

The operation has also identified Saad Fridi, a Pakistani national, as the platform's primary developer and administrator.

Operation at a Glance

Detail	Value
Platform	Tycoon2FA (PhaaS)
Active Since	August 2023
Domains Seized	330
Lifetime Domains Used	24,000+
Platform Subscribers	~2,000
Organizations Targeted Monthly	500,000+
Phishing Volume (Oct 2025 – Jan 2026)	~87.5 million messages
Subscription Price	$120 / 10 days (Telegram)
Attack Type	Adversary-in-the-Middle (AiTM), MFA bypass
Key Suspect	Saad Fridi (Pakistan)
Lead Agency	Europol (CIEP)
Technical Lead	Microsoft
Partner Countries	Latvia, Lithuania, Portugal, Poland, Spain, UK
Action Date	March 4, 2026

What Was Tycoon2FA?

A Subscription Phishing Factory

How the Adversary-in-the-Middle (AiTM) Chain Worked

The platform's defining technical capability was its use of adversary-in-the-middle (AiTM) techniques to defeat multi-factor authentication in real time:

Lure delivery: A fraudulent email drives the victim to a convincing phishing page — an exact replica of Microsoft 365, Gmail, or another targeted service
Transparent proxy: The phishing page acts as a live relay, forwarding the victim's credentials to the real service in real time
OTP capture: As the victim completes MFA (entering their one-time passcode), the platform captures it simultaneously
Session cookie theft: The authenticated session cookie generated after successful login is intercepted and forwarded to the attacker
Replay access: Attackers replay the captured session cookie to gain full access to the victim's account — MFA has been completely bypassed

This technique renders SMS-based MFA and TOTP authenticator codes ineffective — the attacker receives the session cookie before the victim even realizes they've been phished.

Scale and Impact

Metric	Value
Organizations targeted monthly	500,000+
Phishing messages (Oct 2025 – Jan 2026)	~87.5 million
Platform lifetime domains	24,000+
Active subscribers at time of takedown	~2,000
Subscription model	$120 / 10 days via Telegram
Primary targets	Microsoft 365, Outlook, Gmail, enterprise SSO

The Coalition Behind the Takedown

Law Enforcement

Europol — coordination and intelligence sharing
National authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom — domain seizures and operational measures

Private Sector Partners

Microsoft — technical lead; court-ordered seizure of 330 domains under U.S. District Court (Southern District of New York) authority
Trend Micro (TrendAI) — threat intelligence and analysis
Cloudflare — infrastructure visibility and disruption support
Proofpoint — email threat intelligence
SpyCloud — credential exposure intelligence
Intel471 — cybercriminal intelligence
Coinbase — financial intelligence related to platform payments
eSentire, Health-ISAC, Crowell, Resecurity, The Shadowserver Foundation — additional intelligence and support roles

Key Suspect

Recommendations

For Security Teams

Deploy phishing-resistant MFA immediately — migrate away from SMS and TOTP to FIDO2/WebAuthn hardware keys (YubiKey, Titan) or passkeys; these are cryptographically bound to the legitimate origin and cannot be relayed by AiTM proxies
Implement Conditional Access policies — require device compliance, apply impossible travel detection, and flag new device logins even post-MFA
Enable DMARC, DKIM, and SPF enforcement — reduce the volume of fraudulent lure emails reaching users
Deploy email link sandboxing — rewrite and analyze URLs at click-time to block phishing pages even after delivery
Monitor for anomalous session activity — flag logins from new geolocations, device fingerprints, or IP addresses following successful MFA — this can catch session cookie replay in progress
Apply available IOCs — Microsoft and Trend Micro are publishing Tycoon2FA indicators of compromise; apply them across endpoint, network, and email controls

For End Users

Never enter credentials by clicking email links — type URLs directly into your browser or use bookmarks
Use passkeys where available — Apple, Google, and Microsoft passkeys are phishing-resistant by design
Report suspicious authentication prompts immediately to your security team — AiTM attacks often produce subtle visual artifacts
Enable session activity alerts on critical accounts (Microsoft 365, Google Workspace) to catch unauthorized access early

Key Takeaways

Tycoon2FA targeted 500,000+ organizations monthly — the scale of commoditized PhaaS infrastructure demonstrates that phishing is now industrialized crime-as-a-service
87.5 million phishing messages in four months — this volume is only achievable through automated, subscription-based infrastructure like Tycoon2FA
Standard MFA cannot defend against AiTM attacks — TOTP codes and SMS OTPs are capturable in real time; only FIDO2/passkeys are immune
$120 subscriptions democratized sophisticated attacks — removing technical barriers means the criminal market for phishing campaigns expands with each new PhaaS platform
The public-private coalition model is maturing — Europol's coordination of Microsoft, six national law enforcement agencies, and over a dozen private companies represents a scalable, repeatable disruption framework
Platform disruption has limits — 24,000 domains cycled in two years shows the criminal ecosystem's resilience; organizations cannot rely on takedowns as their primary defense

Europol-Coordinated Action Dismantles Tycoon2FA — 330

Europol-Coordinated Takedown Destroys Major MFA-Bypass Phishing Platform

Operation at a Glance

What Was Tycoon2FA?

A Subscription Phishing Factory

How the Adversary-in-the-Middle (AiTM) Chain Worked

Scale and Impact

The Coalition Behind the Takedown

Law Enforcement

Private Sector Partners

Key Suspect

Recommendations

For Security Teams

For End Users

Key Takeaways

Sources

Operation Synergia III: Police Sinkhole 45,000 IPs in Global Cybercrime Crackdown

Spanish-Ukrainian Police Bust Gambling Ring That Exploited

Russia Detains Alleged Admin of LeakBase Cybercrime Forum Weeks After Global Crackdown

Europol-Coordinated Action Dismantles Tycoon2FA — 330

Europol-Coordinated Takedown Destroys Major MFA-Bypass Phishing Platform

Operation at a Glance

What Was Tycoon2FA?

A Subscription Phishing Factory

How the Adversary-in-the-Middle (AiTM) Chain Worked

Scale and Impact

The Coalition Behind the Takedown

Law Enforcement

Private Sector Partners

Key Suspect

Recommendations

For Security Teams

For End Users

Key Takeaways

Sources

Operation Synergia III: Police Sinkhole 45,000 IPs in Global Cybercrime Crackdown

Spanish-Ukrainian Police Bust Gambling Ring That Exploited

Russia Detains Alleged Admin of LeakBase Cybercrime Forum Weeks After Global Crackdown