An international coalition of law enforcement agencies and cybersecurity companies has dismantled Tycoon 2FA, a large phishing-as-a-service (PhaaS) platform used to launch adversary-in-the-middle (AiTM) credential-harvesting attacks. The toolkit has been linked to more than 64,000 phishing incidents targeting online accounts worldwide.
Tycoon 2FA operated as a subscription-based cybercrime service that enabled threat actors to conduct large-scale phishing campaigns targeting cloud and email accounts.
The toolkit first appeared in August 2023 and quickly became one of the most widely used phishing platforms. Access to the service cost approximately $120 for 10 days or $350 per month for access to its web-based management panel.
The administrative panel allowed operators to:
configure phishing campaigns
manage domains and hosting
track victims and authentication attempts
analyze successful and failed login attempts
Captured data — including user credentials, MFA codes, and session cookies — could be downloaded directly from the panel or forwarded to Telegram for real-time monitoring. According to Europol, the platform enabled thousands of cybercriminals to launch phishing campaigns generating tens of millions of emails every month.
“It enabled thousands of cybercriminals to covertly access email and cloud-based service accounts.”
Microsoft, which tracks the operators under the threat group Storm-1747, stated that Tycoon 2FA became one of the most prolific phishing platforms observed in 2025.
The company reported blocking more than 13 million malicious emails connected to the phishing service.
Campaigns frequently impersonated login pages of widely used services such as:
Microsoft 365
Outlook
SharePoint
OneDrive
Gmail
The AiTM technique allowed attackers to intercept session cookies, enabling account access even after passwords were reset. As part of the coordinated crackdown, authorities seized 330 domains used to host phishing pages and command panels connected to Tycoon 2FA. The case highlights the growing threat of phishing-as-a-service platforms, which lower the barrier to entry for cybercriminals and allow large-scale credential-harvesting attacks against organizations worldwide. Security researchers warn that stolen accounts often serve as the initial access point for broader cyberattacks, including ransomware deployment and data breaches.
