Coinbase, Microsoft and Europol take down the Tycoon 2FA phishing network

Crypto exchange Coinbase has teamed up with Microsoft and Europol to take down a phishing platform called Tycoon 2FA service.

In an announcement Wednesday, Coinbase said it helped track blockchain-based transactions linked to the platform, and as a result, law enforcement was able to identify the alleged mastermind behind the phishing operation and some of its customers.

According to Europol, Tycoon 2FA sold a subscription-based tool that helped bad actors intercept live authentication sessions and gain unauthorized access to online accounts, including those protected by additional layers of security.

Coinbase said that by using the Tycoon phishing tool, cybercriminals were able to capture session cookies from authenticated users and therefore gain access to accounts without pressing authentication requests.

“We are actively working to identify the purchasers of Tycoon and will continue to support law enforcement efforts to target victims of people who purchased and used the service,” he said.

The platform has been active since at least 2023, and by mid-2025, Tycoon 2FA accounted for about 62% of all phishing attacks blocked by Microsoft, Europol said.

“At scale, the platform generated tens of millions of phishing emails every month and facilitated unauthorized access to nearly 100,000 organizations worldwide, including schools, hospitals and government agencies,” he added.

As previously reported by crypto.news, losses from phishing attacks have decreased by 83% in 2025 compared to the previous year. However, attackers continued to use advanced techniques, including EIP-7702-related exploits, Authorization and Authorization2 signatures, and delivery-based attacks.

A separate report from blockchain security firm CertiK noted that phishing attacks will remain the third costliest attack vector in 2025.