Tycoon 2FA Goes Boom as Europol, Vendors Bust Phishing Platform

Europol and private sector partners including Microsoft, Cloudflare, Trend Micro, and Proofpoint have disrupted Tycoon 2FA, one of the world's largest phishing-as-a-service platforms. By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts Microsoft blocked, with over 30 million emails in a single month and an estimated 96,000 victims since its 2023 launch. The platform's key capability was an adversary-in-the-middle (AitM) technique that proxied real Microsoft 365 and Google login pages to intercept live session tokens, effectively bypassing SMS codes, authenticator apps, and push notifications. Microsoft seized 330 domains, while law enforcement conducted operations across six European countries. Security vendors are urging organizations to adopt phishing-resistant MFA such as FIDO2 hardware keys or passkeys, as similar platforms like VoidProxy and Starkiller use comparable session-hijacking techniques and Tycoon 2FA operators may attempt to rebuild.