Investigators claimed today to have taken out another key player in the global cybercrime supply chain after seizing infrastructure linked to phishing-as-a-service (PhaaS) operation Tycoon 2FA.
The effort was led by Microsoft and Europol and supported by a range of industry partners, including TrendAI, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, The Shadowserver Foundation, and SpyCloud.
Over 300 domains linked to Tycoon2FA were seized in the operation, according to TrendAI.
Tycoon2FA offered subscription-based PhaaS that used adversary-in-the-middle techniques to intercept live authentication sessions, and capture credentials, one-time passcodes and active session cookies in real time.
This enabled threat actors using it to bypass multi-factor authentication (MFA) and access countless enterprise accounts in large-scale attacks on corporate inboxes.
Tycoon2FA had around 2000 users and used more than 24,000 domains since its launch in August 2023.
Read more on PhaaS takedowns: UK Police Lead Disruption of £1m Phishing-as-a-Service Site LabHost.
“This was not a single phishing campaign. It was an industrialized service built to make MFA bypass accessible to thousands of criminals,” said Robert McArdle, director for cybercrime research at TrendAI.
“Identity is now the primary attack surface. When session hijacking can be packaged and sold as a subscription, the risk shifts from isolated incidents to systemic exposure.”
More Work Still to Do
TrendAI and other industry partners passed on crucial threat intelligence to law enforcement regarding Tycoon2FA infrastructure and campaigns. They assessed the primary operator to be a threat actor using the online identities “SaaadFridi” and “Mr_Xaad.”
However, with the perpetrator and many more like him still at large, security experts urged network defenders to build resilience against PhaaS.
TrendAI recommended that organizations:
- Adopt phishing-resistant authentication and enforce strict conditional access controls
- Deploy advanced email and collaboration security that can detect lateral phishing and brand impersonation
- Enable real-time URL inspection and web content analysis to identify fake login infrastructure
- Monitor identity risk posture continuously and take action quickly when anomalous session behavior is detected
- Conduct regular phishing simulations and security awareness training
