Tycoon2FA returns to full activity days after Europol disruption

Law enforcement seized hundreds of domains tied to one of the world's most prolific phishing services, however, the platform was back at full operational volume within days.

What happened

The Tycoon2FA phishing-as-a-service platform has resumed normal operations just days after a coordinated international law enforcement action disrupted its infrastructure. According to BleepingComputer, the disruption on March 4, 2026, was led by Microsoft with support from law enforcement agencies across Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom, coordinated by Europol. The action resulted in the seizure of 330 domains that formed the backbone of Tycoon2FA's infrastructure, including control panels and phishing pages used to steal credentials. Despite the scale of the operation, activity volumes dropped to only 25 percent of pre-disruption levels on March 4 and 5, then returned to early 2026 levels within days. Researchers noted that some older infrastructure remained active throughout, indicating the disruption was incomplete, and new phishing domains and IP addresses were registered quickly after the takedown.

Going deeper

Tycoon2FA first appeared in August 2023 as a platform specifically designed to target Microsoft 365 and Gmail accounts using adversary-in-the-middle (AiTM) mechanisms, which are proxy-based attacks that intercept login sessions in real time and capture session cookies, allowing attackers to bypass two-factor authentication even on accounts where it is enabled. The platform was sold through Telegram for as little as $120 for ten days of access, lowering the barrier for low-skilled attackers to launch sophisticated credential theft campaigns at scale. At its peak, Tycoon2FA generated 30 million phishing emails per month, accounting for 62 percent of all phishing emails blocked by Microsoft. Following the disruption, the platform continued supporting business email compromise (BEC), email thread hijacking, cloud account takeovers, and the abuse of legitimate services, including presentation platforms and compromised domains for redirecting victims. Researchers observed post-compromise activity, including the creation of inbox rules, hidden folders for fraud-related emails, and preparation for further BEC operations.

What was said

Europol described Tycoon2FA as "dangerous," stating that it "enabled thousands of cybercriminals to covertly access email and cloud-based service accounts" and that "at scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions." Researchers tracking the platform's post-disruption activity noted that without arrests or physical seizures of operators, cybercriminals can rapidly rebuild infrastructure, and that as long as demand from the phishing ecosystem remains high, the motive for platform operators is unchanged. The statements were reported by BleepingComputer on March 23, 2026.

In the know

Tycoon2FA is not the only adversary-in-the-middle platform actively targeting Microsoft 365 accounts. According to BleepingComputer, a competing platform called Mamba 2FA has been tracked since at least May 2024 and is sold to attackers for $250 per month. Mamba 2FA offers similar AiTM mechanisms to capture authentication tokens and bypass MFA protections, and its operators have repeatedly updated the platform's infrastructure to mask relay server IP addresses and rotate phishing link domains weekly to avoid blocklisting. The existence of multiple active, commercially operated AiTM platforms with overlapping capabilities confirms that the disruption of any single service has a limited lasting effect on the broader phishing ecosystem.

The big picture

The swift recovery of Tycoon2FA shows a structural problem in how phishing infrastructure is disrupted. According to The Hacker News, the platform had approximately 2,000 active users and reached over 500,000 organizations each month worldwide, with campaigns indiscriminately targeting education, healthcare, finance, nonprofits, and government. Despite the March 4 disruption, researchers noted that "99% of organizations experienced account takeover attempts in 2025, and 67% experienced a successful account takeover," with 59 percent of comprom ised accounts having MFA enabled at the time of compromise. For healthcare organizations, the exposure is compounded by how heavily the sector depends on Microsoft 365. According to Paubox's 2026 Healthcare Email Security Report, Microsoft 365 accounted for 53 percent of breached organizations in 2025, up from 43 percent the previous year, and 31 percent of breached Microsoft 365 environments were classified as high risk. Phishing-driven mailbox takeovers exposed more than 630,000 individuals across healthcare in 2025 alone, making credential theft the most damaging email attack type by patient impact, according to Paubox's Top 3 Healthcare Email Attacks report.

FAQs

What is an adversary-in-the-middle attack, and how does it bypass MFA?

An adversary-in-the-middle (AiTM) attack sits between a victim and a legitimate login page, relaying credentials and authentication codes in real time while capturing the resulting session cookie. Attackers can then use that cookie to access the account without needing the victim's password or MFA code again.

Why did the Europol disruption have such a short-lived effect?

The action seized domains however did not result in arrests or physical seizures of the platform's operators or core infrastructure. Without removing the people behind the service, replacement infrastructure can be registered and deployed quickly, restoring operations within days.

What post-compromise activity has been observed following Tycoon2FA attacks?

Researchers documented attackers creating inbox rules to hide or forward emails, setting up hidden folders for fraud-related messages, and staging for business email compromise operations after gaining initial account access.

Why does the existence of multiple AiTM platforms matter for defenders?

When one platform is disrupted, others with similar capabilities continue operating and can absorb displaced users. Defenders who configure protections based on specific platform indicators rather than the underlying attack technique will remain exposed as platforms shift.

What steps can organizations take to reduce exposure to AiTM phishing?

Organizations should implement phishing-resistant authentication methods such as hardware security keys or passkeys rather than relying on standard MFA codes, which AiTM attacks can intercept. Monitoring for unusual inbox rule creation, unexpected logins from new locations, and active session revocation following suspected compromises can also limit the damage from successful attacks.