A coalition of tech companies and law enforcement agencies, including Coinbase, took down the core infrastructure of Tycoon 2FA, a large phishing-as-a-service platform that offered tools to bypass multi-factor authentication.
Europol announced on Wednesday that Microsoft had helped shut down 330 domains linked to the platform, while law enforcement authorities had seized additional key infrastructure.
Financial tracking was also an important aspect. Coinbase said it helped identify the administrator and potential buyers of the phishing platform by tracking transactions related to the blockchain that funds Tycoon 2FA.
“Taking Tycoon’s core infrastructure offline cuts off a key pipeline for credential theft and primary access, forcing criminals to rebuild, retool, and take on more risk,” Coinbase said.
Phishing scams were listed as the second biggest threat in 2025 by blockchain security firm Certik, costing crypto investors $722 million in 248 incidents. A PeckShield spokesperson told Cointelegraph on Monday that phishing remains a “constant threat” in 2026.
Tycoon tools are used to bypass multi-factor authentication
The Tycoon Toolkit contains phishing landing pages designed to steal user information on legitimate websites. According to Coinbase, it also recorded cookies and session tokens, which allowed attackers to bypass MFA protections.
Generally, when a user logs in using MFA, the system generates a session token. The token acts as proof of authentication and is stored in the user’s browser. If a hacker steals the token, they can use it to cheat the system and remove the MFA.
“This combination of sophisticated phishing and session token theft makes phishing a reliable way to commit larger crimes such as account takeovers, email compromises, invoice fraud, and subsequent social engineering,” Coinbase added.
One of the biggest fraud platforms in the world
According to Steven Masada, Assistant General Counsel of Microsoft’s Digital Crimes Unit, the mogul has been active since at least 2023. By mid-2025, Tycoon accounted for 62% of phishing attempts blocked by Microsoft, including more than 30 million emails per month.
related to: Traveling? ‘Evil Twin’ WiFi networks can steal cryptographic passwords
“This placed Tycoon 2FA among the largest phishing operations worldwide,” he said. “By lowering the technical barrier to entry, it allowed criminals with limited experience to launch sophisticated fraud campaigns.”
Industries from healthcare to education have fallen victim to Tycoon 2FA, resulting in altered invoices, stolen sensitive data, blocked networks and disrupted patient care, Masada said.
“Taking this infrastructure offline shuts down a huge pipeline for accounts receivable and helps protect people and organizations from further attacks like data theft, ransomware, email compromise and financial fraud.”
Magazine: Would Bitcoin Really Be $200K If Not For Jane Street? Trade secret
