A coordinated effort by Microsoft, Europol, and industry partners has successfully disrupted Tycoon 2FA, a large scale phishing service responsible for tens of millions of fraudulent emails reaching more than 500,000 organizations worldwide each month. The service, active since at least 2023, enabled cybercriminals to impersonate legitimate users and gain unauthorized access to email and online accounts, including Microsoft 365, Outlook, and Gmail. Unlike traditional phishing kits, Tycoon 2FA was designed to bypass additional security protections such as multifactor authentication, allowing attackers to operate on compromised accounts without triggering alerts or detection mechanisms.
Tycoon 2FA’s infrastructure was taken offline following a court order issued by U.S. District Court for the Southern District of New York and in coordination with Europol’s Cyber Intelligence Extension Programme. The operation seized 330 active domains that hosted control panels, fraudulent login pages, and other essential infrastructure components. By removing these domains, investigators cut off a major pipeline for account takeovers and reduced the potential for follow‑on attacks such as data theft, ransomware deployment, business email compromise, and financial fraud. Europol’s CIEP framework enabled public and private sector partners to collaborate across borders, accelerating the disruption and limiting further harm.
Analysis from Microsoft Threat Intelligence shows that Tycoon 2FA accounted for approximately 62 percent of all phishing attempts blocked by Microsoft by mid‑2025, including over 30 million emails in a single month. The service affected an estimated 96,000 distinct victims worldwide since 2023, including more than 55,000 Microsoft customers. Healthcare and education organizations were disproportionately impacted, with members of Health‑ISAC and institutions in New York experiencing attempts or successful compromises. The attacks disrupted operations, diverted resources, and in some cases delayed patient care or administrative functions.
Tycoon 2FA operated as a sophisticated, easy to use phishing‑as‑a‑service platform, combining realistic phishing templates, landing pages, and real‑time capture of credentials and session tokens. The primary developer, Saad Fridi, believed to be based in Pakistan, worked with partners responsible for marketing, payments, and technical support. Criminal operators often paired Tycoon 2FA with complementary services such as RedVDS, which provided inexpensive virtual machines for campaign execution. This interconnected ecosystem allowed cybercriminals to scale impersonation attacks rapidly and maintain access across compromised systems. Disruptions to one component, such as Tycoon 2FA, produced cascading effects across the broader cybercrime economy, increasing operational risks for attackers.
The investigation involved multiple partners providing telemetry, threat intelligence, and operational support. Industry collaborators including Proofpoint, Intel 471, and eSentire contributed visibility into attacks, while Cloudflare assisted in removing infrastructure outside the U.S. Shadowserver Foundation coordinated notifications to over 200 computer emergency response teams, limiting additional impact. Agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom also executed operational measures to seize infrastructure. Microsoft noted that no single organization could have achieved this outcome alone, emphasizing the need for sustained, global coordination against identity‑based cybercrime.
The Tycoon 2FA disruption illustrates a broader shift in cybercrime where identity, rather than infrastructure, is the primary target. A single compromised account can expose banking, healthcare, workplace, and social media systems. By applying cross‑sector enforcement, intelligence sharing, and infrastructure disruption, global partners have made it more difficult for attackers to sustain large‑scale impersonation campaigns. Microsoft continues to apply lessons from this and prior operations to fragment the impersonation ecosystem, raise costs for cybercriminals, and limit opportunities for mass exploitation.
