Tycoon 2FA, one of the prominent phishing-as-a-service (PhaaS) toolkits that enabled cybercriminals to conduct large-scale man-in-the-middle (AitM) credential harvesting attacks, was dismantled by a coalition of law enforcement agencies and security companies.
First launched in August 2023, this subscription-based phishing kit was described by Europol as one of the world’s largest phishing operations. The kit was available for a starting price of $120 for 10 days or $350 for one month of access to the web-based admin panel.
This panel acts as your hub for configuring, tracking, and adjusting your campaigns. It includes pre-built templates, common lure-style attachments, domain and hosting configuration, redirect logic, and victim tracking. Operators can also configure how malicious content is delivered via attachments and monitor valid and invalid sign-in attempts.
The captured information, such as credentials, multi-factor authentication (MFA) codes, and session cookies, can be downloaded directly within the panel or transferred to Telegram for near real-time monitoring.
“This gave thousands of cybercriminals clandestine access to email and cloud-based service accounts,” Europol said. “At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to approximately 100,000 organizations worldwide, including schools, hospitals, and public institutions.”
As part of the coordinated effort, 330 domains that formed the backbone of criminal services, including phishing pages and control panels, were removed.
Intel 471 characterized Tycoon 2FA as “dangerous” and said the kit has been linked to more than 64,000 phishing incidents and tens of thousands of domains, and generates tens of millions of phishing emails each month. According to Microsoft, which tracks the operator of the service under the name Storm-1747, Tycoon 2FA became the most prolific platform it observed in 2025, blocking more than 13 million malicious emails linked to crimeware services.
Tycoon 2FA Evolution Timeline (Source: Point Wild)
Proofpoint data shows that Tycoon 2FA accounted for the highest volume of AiTM phishing threats. The email security company announced that it observed more than 3 million messages related to phishing kits in February 2026 alone. Trend Micro, one of the private sector partners in the operation, said the PhaaS platform has about 2,000 users.
Campaigns powered by Tycoon 2FA indiscriminately target nearly every sector, including education, healthcare, finance, nonprofits, and government. Phishing emails sent from this kit reached over 500,000 organizations worldwide each month.
“Tycoon 2FA’s platform enabled attackers to impersonate trusted brands by mimicking sign-in pages for services such as Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail,” Microsoft said.
“It also allowed attackers to use that service to establish persistence and access sensitive information even after passwords were reset, unless active sessions and tokens were explicitly revoked. It worked by intercepting session cookies generated during the authentication process and simultaneously capturing the user’s credentials. The MFA code was then relayed to the authentication service through Tycoon 2FA’s proxy server.”
The kit also utilized techniques such as keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages to evade detection efforts. Another important aspect is the use of a wide mix of top-level domains (TLDs) and short-term fully qualified domain names (FQDNs) to host our phishing infrastructure on Cloudflare.
FQDNs often last only 24 to 72 hours. Rapid turnover is a deliberate effort to complicate detection and prevent reliable blocklist construction. Microsoft also attributes Tycoon 2FA’s success to closely mimicking the legitimate authentication process to covertly intercept user credentials and session tokens.
To make matters worse, Tycoon 2FA customers utilized a technique known as ATO Jumping, using compromised email accounts to distribute Tycoon 2FA URLs and attempt further account takeover activities. “This technique can be used to make the email appear to come from a trusted contact of the victim, increasing the likelihood of a successful breach,” Proofpoint noted.
Phishing kits like Tycoon are designed to be flexible enough to be accessible to non-technical attackers, while still offering advanced features to experienced operators.
“In 2025, 99% of organizations will experience an account takeover attempt and 67% will experience a successful account takeover,” Serena Larson, staff threat researcher at Proofpoint, said in a statement shared with Hacker News. “Of these, 59% of compromised accounts had MFA enabled. While not all of these attacks are related to Tycoon MFA, this illustrates the impact of AiTM phishing on enterprises.”
“These cyberattacks, which allow complete takeover of accounts, can cause disastrous effects such as ransomware and loss of sensitive data. Gaining access to corporate email accounts is often the first step in attack chains that can have devastating consequences, as threat actors continue to prioritize identity.”
Source link
