Coinbase, Microsoft, and Europol have spearheaded a coordinated international operation to dismantle the core infrastructure of Tycoon 2FA, a massive phishing-as-a-service platform. The action, announced on Wednesday, involved ten other partners and resulted in the seizure of key domains and the identification of the platform's primary developer.
According to Microsoft, the operation, executed under a U.S. District Court order, led to the blocking of 330 active domains that powered Tycoon 2FA's control panels. The platform, operational since August 2023, had grown to serve up to 2,000 users and operated over 24,000 domains. It was responsible for tens of millions of fraudulent emails targeting more than 500,000 organizations globally each month.
Coinbase played a crucial role in the financial investigation, tracing cryptocurrency payments that funded the platform's operations. This tracing assisted in identifying the alleged administrator, Saad Fridi, based in Pakistan, and supported the civil action to seize the domains. Efforts to pursue the individuals who purchased and used the Tycoon service are ongoing with law enforcement.
The Tycoon 2FA toolkit was specifically designed to bypass multi-factor authentication (MFA) by capturing session cookies and tokens, allowing attackers to gain access to user accounts without triggering new authentication prompts. "This was not a single phishing campaign. It was an industrialized service built to make MFA bypass accessible to thousands of criminals," said Robert McArdle, Director for Cybercrime Research at TrendAITM.
The takedown addresses a significant threat vector. By mid-2025, Tycoon accounted for 62% of phishing attempts blocked by Microsoft, including over 30 million emails in a single month. The platform's low barrier to entry enabled technically unsophisticated criminals to execute sophisticated attacks, impacting industries from healthcare to education.
This action comes amid ongoing concerns over crypto-related phishing. While Scam Sniffer reported that crypto phishing losses declined to $83.85 million in 2025 (an 83% drop from 2024), blockchain security firm Certik flagged phishing as the second-largest threat in 2025, costing investors $722 million across 248 incidents. Security experts warn that the modular, service-based approach exemplified by Tycoon 2FA remains a persistent and evolving threat to the ecosystem.
