A coordinated international operation has disrupted Tycoon 2FA, a phishing-as-a-service (PhaaS) platform widely deployed to bypass multifactor authentication (MFA) and take over corporate accounts.
On Mar. 4, 2026, Microsoft announced it had seized 330 domains linked to the Tycoon 2FA infrastructure and filed a lawsuit in the US Southern District of New York against alleged creator Saad Fridi and unnamed associates. The action was conducted alongside public and private partners including Europol, Proofpoint, Cloudflare, Coinbase, Health-ISAC, The Shadowserver Foundation, among others.
Authorities in several European countries, including the UK, Spain, Poland, Portugal, Latvia, and Lithuania, also seized infrastructure tied to the phishing service as part of the joint investigation.
Tycoon 2FA has been one of the most active adversary-in-the-middle (AiTM) phishing platforms tracked by security researchers. The toolkit intercepts login credentials as well as authentication cookies, enabling attackers’ bypass of MFA protections and full access to targeted accounts.
According to a new advisory by Proofpoint, the platform has been responsible for some of the largest AiTM phishing campaigns observed in recent years. In February 2026 alone, researchers identified more than three million phishing messages linked to Tycoon 2FA infrastructure.
AiTM Phishing Kits Enable Large-Scale Account Takeovers
Unlike traditional phishing pages that simply capture usernames and passwords, AiTM phishing kits operate as a proxy between victims and legitimate services. Upon user log ins, the phishing server forwards the credentials to the real service while capturing the resulting session cookies at the same time.
Attackers can then reuse those cookies to access accounts without triggering MFA checks, effectively hijacking authenticated sessions.
This technique has been increasingly observed by cybersecurity firms in account takeover campaigns targeting cloud platforms (Microsoft 365 and Gmail). Microsoft recently said Tycoon 2FA activity has enabled cybercriminals to take over accounts across nearly 100,000 organizations, including schools, nonprofits, government agencies and hospitals.
According to Proofpoint research, 99% of organizations reported account takeover (ATO) attempts in 2025, while 67% reported at least one successful compromise. Notably, 59% of those compromised accounts had MFA enabled.
The security experts expect the disruption to significantly impact the platform’s operators and customers, though experts warn that similar phishing kits continue to circulate across cybercrime forums.
