TLDR
- A coordinated effort between Coinbase, Microsoft, and Europol successfully dismantled Tycoon 2FA, a leading phishing-as-a-service operation
- By mid-2025, Tycoon 2FA was responsible for 62% of phishing attempts intercepted by Microsoft, generating 30 million malicious emails monthly
- The service circumvented multi-factor authentication by capturing session cookies and authentication tokens
- Coinbase utilized blockchain forensics to track cryptocurrency payments, helping authorities identify key operators and customers
- While phishing losses decreased 83% in 2025, cybercriminals continue developing more sophisticated attack methods
In a landmark cybersecurity operation, a collaborative team of technology giants and international law enforcement successfully neutralized one of the largest phishing operations globally. The joint effort between Coinbase, Microsoft, and Europol resulted in the shutdown of Tycoon 2FA’s primary infrastructure, announced Wednesday.
Operating as a phishing-as-a-service business model, Tycoon 2FA offered subscription packages that enabled cybercriminals to harvest login credentials and circumvent multi-factor authentication safeguards.
The criminal enterprise had been operational since 2023 at minimum. Data from Microsoft indicates that by the middle of 2025, Tycoon 2FA was behind 62% of all phishing attacks the company successfully blocked.
During peak operations, the platform distributed tens of millions of fraudulent emails monthly. The service enabled unauthorized infiltration of approximately 100,000 organizations across the globe, affecting sectors including education, healthcare, and government services.
Microsoft successfully blocked 330 internet domains associated with the operation. Additional critical infrastructure components were confiscated by law enforcement agencies during the coordinated takedown.
How the Platform Bypassed Multi-Factor Authentication
The Tycoon toolkit featured convincingly replicated landing pages that mimicked authentic login portals. Upon entering credentials, victims unknowingly transmitted their session cookies and authentication tokens to the attackers.
Session tokens serve as verification that authentication has been completed. When cybercriminals obtain these tokens, they gain account access without encountering additional MFA challenges.
“That combination — high-fidelity lures plus session-token theft — turns phishing into a reliable on-ramp for bigger crimes like account takeovers, business email compromise, invoice fraud,” Coinbase said.
By removing technical obstacles, Tycoon enabled even less-skilled criminals to execute advanced phishing campaigns. The impact spanned multiple sectors from medical facilities to educational institutions, leading to compromised data, fraudulent financial transfers, and interruptions in critical services like patient treatment.
Coinbase’s Role in Tracing Crypto Transactions
Coinbase contributed crucial intelligence by analyzing blockchain transactions that financed the platform’s operations. This cryptocurrency paper trail provided law enforcement with the evidence needed to identify the suspected platform administrator and multiple customers.
“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and forces criminals to rebuild, retool, and take on more risk,” Coinbase said.
The cryptocurrency exchange confirmed it continues working to identify additional individuals who acquired Tycoon’s services and remains committed to supporting ongoing investigations.
According to blockchain security company CertiK, phishing ranked as the second most significant threat facing cryptocurrency users in 2025, resulting in $722 million in losses across 248 separate incidents.
Although total phishing-related losses declined 83% in 2025 versus the previous year, threat actors have evolved their methodologies, incorporating sophisticated exploits involving EIP-7702 and Permit2 signature-based attack vectors.
A representative from blockchain security company PeckShield informed Cointelegraph that phishing continues to represent a “persistent threat” heading into 2026.
