A coalition of tech companies and law enforcement, including Coinbase, has dismantled the core infrastructure of Tycoon 2FA, a major phishing-as-a-service platform that offered tools to bypass multi-factor authentication.
Europol announced Wednesday that Microsoft helped block 330 domains linked to the platform, while law enforcement seized additional key infrastructure.
Financial tracing was also a key aspect. Coinbase said it assisted by tracing blockchain-related transactions funding Tycoon 2FA, which helped identify the phishing platform’s alleged administrator and buyers.
“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and initial access, and forces criminals to rebuild, retool, and take on more risk,” Coinbase added.
Microsoft has helped block 330 domains linked to Tycoon 2FA. Source: Europol
Phishing scams were flagged as the second-largest threat in 2025 by blockchain security firm Certik, costing crypto investors $722 million across 248 incidents. A PeckShield spokesperson told Cointelegraph on Monday that phishing remains a “persistent threat” in 2026.
Tycoon tools used to bypass multi-factor authentication
Tycoon’s toolkit included spoofed landing pages designed to steal user credentials on legitimate websites. It also captured session cookies and tokens, allowing attackers to bypass MFA protections, according to Coinbase.
Generally, when a user logs in using MFA, the system generates a session token. The token acts as proof of authentication and is stored in the user’s browser. If a hacker steals the token, they can use it to fool the system and bypass MFA.
Source: Paul Grewal
“That combination, high-fidelity lures plus session-token theft, turns phishing into a reliable on-ramp for bigger crimes like account takeovers, business email compromise, invoice fraud, and follow-on social engineering,” Coinbase added.
One of the largest scam platforms in the world
Tycoon has been active since at least 2023, according to Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit. By mid-2025, Tycoon accounted for 62% of phishing attempts Microsoft blocked, including over 30 million emails in a single month.
Related: Traveling? ‘Evil Twin’ WiFi networks can steal crypto passwords
“That placed Tycoon 2FA among the largest phishing operations globally,” he added. “By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns.”
Masada said industries from healthcare to education fell victim to Tycoon 2FA, resulting in rerouted invoices, stolen sensitive data, locked networks and disruptions to patient care.
“Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow‑on attacks such as data theft, ransomware, business email compromise, and financial fraud.”
Magazine: Would Bitcoin really be at $200K if not for Jane Street? Trade Secrets