Despite a major law enforcement operation earlier this month, Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform, has continued to compromise email accounts and bypass multifactor authentication (MFA).
The platform, which intercepts live authentication sessions using adversary-in-the-middle (AITM) techniques, has reportedly resumed activity.
Tycoon2FA, launched in 2023, was responsible for a significant share of phishing activity. By mid-2025, it accounted for 62% of phishing attempts blocked by Microsoft and reportedly generated more than 30 million malicious emails in a single month.
Short-Term Disruption, Rapid Recovery
Following takedown coordinated by Europol, authorities from six countries as well as industry partners seized 330 domains linked to the Tycoon2FA platform. Initial results showed a sharp decrease in Tycoon2FA activity, with daily campaigns dropping to 25% of pre-disruption levels.
Read more on PhaaS threats: Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
However, activity quickly returned to early 2026 levels. In an advisory published last week, CrowdStrike said it observed at least 30 suspected Tycoon2FA-enabled phishing incidents between March 4 and March 6, involving decoy and credential-capture pages.
Operators continue to use compromised domains and legitimate cloud services for redirection, while IPv6 addresses associated with automated cloud logins remain active. AI-generated decoy pages and malicious URLs continue to be deployed, showing no change in tactics.
Outlook For Cyber Defenders
The takedown involved Europol’s European Cybercrime Centre (EC3) and authorities from Latvia, Lithuania, Portugal, Poland, Spain and the UK.
Despite that, Tycoon2FA’s rapid recovery highlights the adaptive nature of modern cyber threats, CrowdStrike warned. Continuous detection, real-time signal correlation, and layered defense strategies remain critical to counter adversaries who evolve rapidly.
“When cross-domain disruption avenues are unavailable to law enforcement bodies, infrastructure disruption, even if only temporary, can serve to frustrate, slow down, and confuse adversaries,” the company added.
“As recovery from such disruptions occurs, CrowdStrike and other industry partners must stand ready to orient themselves to the evolving nature of these threats.”
