The comprehensive effort, which involved seizing 330 active domains, cuts off a critical pipeline for account takeovers that targeted over 500,000 organizations and sent tens of millions of fraudulent emails monthly.
A coordinated international operation led by Microsoft, Europol, and industry partners has dismantled the core infrastructure of Tycoon 2FA, a prolific phishing-as-a-service operation responsible for a massive wave of credential and MFA code theft since at least 2023.
The comprehensive effort, which involved seizing 330 active domains, cuts off a critical pipeline for account takeovers that targeted over 500,000 organizations and sent tens of millions of fraudulent emails monthly.
Disruption of a Global Threat
Tycoon 2FA was a highly effective service used by thousands of cybercriminals to compromise accounts across major platforms, including Microsoft 365, Outlook, and Gmail. Unlike traditional phishing kits, this platform was specifically engineered to capture session tokens and credentials in real-time, effectively bypassing additional security layers like MFA. This allowed attackers to log in as legitimate users without triggering alerts, making it a powerful tool for sophisticated impersonation campaigns.
The operation was of immense scale, accounting for an estimated 62% of all phishing attempts blocked by Microsoft by mid-2025, including more than 30 million emails in a single month. It is linked to approximately 96,000 distinct phishing victims worldwide since 2023, with over 55,000 being Microsoft customers. Healthcare and education were hardest hit, with multiple hospitals, schools, and universities in New York alone facing attempted or successful compromises that led to disrupted operations and delayed patient care.
Coordinated International Action
The disruption was executed under a court order from the U.S. District Court for the Southern District of New York. For the first time, the action was coordinated with Europol’s Cyber Intelligence Extension Programme, a framework designed to accelerate cross-border collaboration between public- and private-sector entities.
Through this coordinated effort, Microsoft was able to seize the 330 active domains powering Tycoon 2FA’s infrastructure, including the control panels and fraudulent login pages. This move immediately cuts off a major source of initial access for a variety of follow-on attacks, including ransomware, data theft, and business email compromise (BEC).
Microsoft has targeted many other pieces of the cybercrime infrastructure in recent years, including its disruption of the RedVDS platform in January.
Identity: The New Primary Target
The success and danger of Tycoon 2FA highlight a broader and accelerating trend in the cybercrime landscape: identity, not infrastructure, has become the primary target. Tycoon 2FA lowered the technical barrier to entry for criminals by combining realistic phishing templates and real-time credential capture into an easy-to-use package. Once an account was compromised, attackers could operate with the same level of trust as a legitimate user, moving laterally across systems and abusing sign-on connections without raising alarms.
Tycoon 2FA itself operated like a business within the “impersonation-for-hire” economy, with a developer (believed to be Saad Fridi, based in Pakistan) working alongside partners for marketing and technical support. This ecosystem is highly interdependent: Tycoon 2FA often worked in concert with other illicit services, such as RedVDS, a virtual computer provider that Microsoft previously disrupted in January 2026.
“As pressure increased, many operators tightened access controls, retreated into closed channels, or shut down entirely to avoid legal action. In Tycoon 2FA’s case, Microsoft could not purchase access to the service; the operator rejected attempts by our investigators, requiring a trusted intermediary. In fact, Tycoon 2FA’s operator and the now‑arrested developer of RaccoonO365 communicated with one another, highlighting the ecosystem’s interdependence and how disruptions in one area influence activity elsewhere,” the Microsoft analysis says.
This sustained pressure from law enforcement and industry partners has been shown to reshape the market, preventing any single service from remaining dominant and steadily raising the cost and risk of cybercrime. Previous disruption operations targeting services like Lumma Stealer and RaccoonO365 have led to arrests, infrastructure loss, and forced many operators to retreat or shut down entirely.
