Key Takeaways
- A collaborative operation between Coinbase, Microsoft, and Europol successfully shut down Tycoon 2FA, a leading phishing-as-a-service operation
- By the middle of 2025, Tycoon 2FA was responsible for 62% of phishing attacks stopped by Microsoft, generating 30 million malicious emails monthly
- The sophisticated network circumvented multi-factor authentication security by capturing session cookies and authentication tokens
- Blockchain analysis conducted by Coinbase helped law enforcement track down the platform’s suspected operator and customers
- Despite an 83% reduction in phishing-related losses during 2025, cybercriminals continue deploying more sophisticated attack methods
A powerful alliance between technology giants and international law enforcement successfully brought down one of the planet’s most prolific phishing operations this week. On Wednesday, Coinbase, Microsoft, and Europol jointly revealed they had successfully dismantled Tycoon 2FA’s core operational infrastructure.
Operating as a phishing-as-a-service enterprise, Tycoon 2FA provided subscription-based criminal toolkits that enabled bad actors to harvest login credentials and circumvent multi-factor authentication (MFA) safeguards.
The criminal platform had been operational since approximately 2023. By the midpoint of 2025, Tycoon 2FA was responsible for an astounding 62% of all phishing attack attempts that Microsoft successfully blocked.
During its operational zenith, the Tycoon network generated tens of millions of malicious phishing emails each month. The platform enabled unauthorized infiltration of approximately 100,000 organizations across the globe, spanning educational institutions, healthcare facilities, and government agencies.
Microsoft successfully blocked 330 domains connected to the criminal network. Additionally, law enforcement authorities confiscated critical infrastructure components during the coordinated takedown operation.
Methods Used to Circumvent Multi-Factor Authentication
The Tycoon toolkit featured convincing replica landing pages that closely mimicked authentic websites. Upon user login, the system harvested their session cookies and authentication tokens.
A session token serves as digital verification that a user has completed authentication. When cybercriminals obtain these tokens, they gain account access without triggering additional MFA verification requests.
“That combination — high-fidelity lures plus session-token theft — turns phishing into a reliable on-ramp for bigger crimes like account takeovers, business email compromise, invoice fraud,” Coinbase said.
By removing technical barriers to entry, Tycoon empowered even novice criminals to execute advanced phishing operations. Organizations across multiple sectors including healthcare and education suffered consequences ranging from data breaches to fraudulent invoice schemes and compromised patient services.
How Coinbase Used Blockchain Analytics to Track Criminals
Coinbase contributed crucial intelligence by analyzing blockchain transactions that financed the criminal platform. This financial evidence trail proved instrumental in helping authorities identify the suspected network administrator and multiple purchasers.
“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and forces criminals to rebuild, retool, and take on more risk,” Coinbase said.
The cryptocurrency exchange confirmed it continues working to identify individuals who bought access to Tycoon’s tools and remains committed to supporting ongoing law enforcement investigations.
Blockchain security company CertiK identified phishing as the second-most significant threat facing cryptocurrency users in 2025, with investors losing $722 million across 248 separate incidents.
While total phishing losses decreased by 83% in 2025 compared to previous years, threat actors have continued refining their methodologies, including sophisticated exploits leveraging EIP-7702 and Permit2 signature-based attack vectors.
A representative from blockchain security firm PeckShield informed Cointelegraph that phishing continues to represent a “persistent threat” heading into 2026.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
