Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html
Publish Date: 2026-03-05 01:51:00
Source Domain: thehackernews.com
Tycoon 2FA, one of the prominent phishing-as-a-service (PhaaS) toolkits that allowed cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale, was dismantled by a coalition of law enforcement agencies and security companies.
The subscription-based phishing kit, which first emerged in August 2023, was described by Europol as one of the largest phishing operations worldwide. The kit was sold via Telegram and Signal for a starting price of $120 for 10 days or $350 for access to a web-based administration panel for a month. Tycoon 2FA’s primary developer is alleged to be Saad Fridi, who is said to be based in Pakistan.
The panel serves as a hub for configuring, tracking, and refining campaigns. It features pre‑built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking. Operators can also configure how the malicious content is delivered through attachments, as well as keep tabs on valid and invalid sign-in attempts.
The captured information, such as credentials, multi-factor authentication (MFA) codes, and session cookies, can be downloaded directly within the panel or forwarded to Telegram for near‑real‑time monitoring.
“It enabled thousands of cybercriminals to covertly access email and cloud-based service accounts,” Europol said. “At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions.”
As part of the coordinated effort, 330 domains that formed the backbone of the criminal service, including phishing pages and control panels, have been taken down.
Characterizing Tycoon 2FA as “dangerous,” Intel 471 said the kit was linked to over 64,000 phishing incidents and tens of thousands of domains, generating tens of millions of phishing emails each month. According to Microsoft, which is tracking the…
