Tycoon 2FA, one of the prominent phishing-as-a-service (PhaaS) toolkits that allowed cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale, was dismantled by a coalition of law enforcement agencies and security companies.
The subscription-based phishing kit, which first emerged in August 2023, was described by Europol as one of the largest phishing operations worldwide. The kit was available for a starting price of $120 for 10 days or $350 for access to a web-based administration panel for a month.
The panel serves as a hub for configuring, tracking, and refining campaigns. It features pre‑built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking. Operators can also configure how the malicious content is delivered through attachments, as well as keep tabs on valid and invalid sign-in attempts.
The captured information, such as credentials, multi-factor authentication (MFA) codes, and session cookies, can be downloaded directly within the panel or forwarded to Telegram for near‑real‑time monitoring.
“It enabled thousands of cybercriminals to covertly access email and cloud-based service accounts,” Europol said. “At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions.”
As part of the coordinated effort, 330 domains that formed the backbone of the criminal service, including phishing pages and control panels, have been taken down.
Characterizing Tycoon 2FA as “dangerous,” Intel 471 said the kit was linked to over 64,000 phishing incidents and tens of thousands of domains, generating tens of millions of phishing emails each month. According to Microsoft, which is tracking the operators of the service under the name Storm-1747, Tycoon 2FA became the most prolific platform observed by the company in 2025, blocking more than 13 million malicious emails linked to the crimeware service.
 |
| Tycoon 2FA Evolution Timeline (Source: Point Wild) |
Data from Proofpoint shows that Tycoon 2FA accounted for the highest volume AiTM phishing threats. The email security company said it observed over three million messages associated with the phishing kit in February 2026 alone. Trend Micro, which was one of the private sector partners in the operation, noted that the PhaaS platform had approximately 2,000 users.
Campaigns leveraging Tycoon 2FA have indiscriminately targeted almost all sectors, including education, healthcare, finance, non-profit, and government. Phishing emails sent from the kit reached over 500,000 organizations each month worldwide.
“Tycoon 2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail,” Microsoft said.
“It also allowed threat actors using its service to establish persistence and to access sensitive information even after passwords are reset, unless active sessions and tokens were explicitly revoked. This worked by intercepting session cookies generated during the authentication process, simultaneously capturing user credentials. The MFA codes were subsequently relayed through Tycoon 2FA’s proxy servers to the authenticating service.”
The kit also employed techniques like keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages to sidestep detection efforts. Another key aspect is the use of a broader mix of top-level domains (TLDs) and short-lived fully qualified domain names (FQDNs) to host the phishing infrastructure on Cloudflare.
The FQDNs often only last for 24 to 72 hours, with the rapid turnover a deliberate effort to complicate detection and prevent building reliable blocklists. Microsoft also attributed Tycoon 2FA’s success to closely mimicking legitimate authentication processes to stealthily intercept user credentials and session tokens.
To make matters worse, Tycoon 2FA customers leveraged a technique called ATO Jumping, whereby a compromised email account is used to distribute Tycoon 2FA URLs and attempt further account takeover activities. “Using this technique enables emails to look like they are authentically coming from a victim’s trusted contact, increasing the likelihood of a successful compromise,” Proofpoint noted.
Phishing kits like Tycoon are designed to be flexible so that it’s accessible to less technically savvy actors while still offering advanced capabilities for more experienced operators.
“In 2025, 99% of organizations experienced account takeover attempts in 2025, and 67% experienced a successful account takeover,” Selena Larson, staff threat researcher at Proofpoint, said in a statement shared with The Hacker News. “Of these, 59% of the taken-over accounts had MFA enabled. While not all of these attacks were related to Tycoon MFA, this shows the impact of AiTM phishing on enterprises.”
“These cyberattacks that enable full account takeovers can lead to disastrous impacts, including ransomware or the loss of sensitive data. As threat actors continue to prioritize identity, gaining access to enterprise email accounts is often the first step in an attack chain that can have destructive consequences.”
