Coinbase, Microsoft, and Europol Shut Down Tycoon 2FA Crypto Phishing Operation

Posted on by

TLDR

  • Coinbase, Microsoft, and Europol successfully dismantled Tycoon 2FA, identified as one of the globe’s most extensive phishing-as-a-service platforms.
  • By mid-2025, Tycoon 2FA was responsible for 62% of all phishing attempts thwarted by Microsoft, encompassing 30 million emails within a single month.
  • The platform circumvented multi-factor authentication through the theft of session cookies and tokens.
  • Coinbase utilized blockchain transaction tracing to assist in pinpointing the platform’s suspected administrator and purchasers.
  • While phishing losses decreased by 83% in 2025, attackers are employing progressively sophisticated methods.

This week, a collaborative effort involving technology firms and law enforcement agencies resulted in the shutdown of one of the world’s most significant phishing platforms. On Wednesday, Coinbase, Microsoft, and Europol jointly declared the dismantling of Tycoon 2FA’s central infrastructure.

Tycoon 2FA operated as a phishing-as-a-service platform, offering subscription-based toolkits that enabled criminals to pilfer login credentials and circumvent multi-factor authentication (MFA).

Operational since at least 2023, the platform was responsible for 62% of all phishing attempts blocked by Microsoft by mid-2025.

During its peak activity, Tycoon produced tens of millions of phishing emails monthly. It enabled unauthorized access to almost 100,000 organizations worldwide, encompassing educational institutions, healthcare facilities, and public bodies.

Microsoft successfully blocked 330 domains associated with the platform. Furthermore, law enforcement confiscated other crucial infrastructure as part of this operation.

How the Platform Bypassed Multi-Factor Authentication

Tycoon’s toolkit featured deceptive landing pages crafted to mimic authentic websites. Upon a user’s login, the platform would capture their session cookies and tokens.

A session token serves as verification that a user has previously authenticated. Should a hacker acquire this token, they can utilize it to gain account access without re-triggering MFA prompts.

“That combination — high-fidelity lures plus session-token theft — turns phishing into a reliable on-ramp for bigger crimes like account takeovers, business email compromise, invoice fraud,” said.

By reducing the technical entry barrier, Tycoon empowered criminals with limited technical expertise to execute elaborate campaigns. Various sectors, from healthcare to education, were impacted, leading to data theft, misdirected invoices, and interruptions in patient services.

Coinbase’s Role in Tracing Crypto Transactions

Coinbase was instrumental in tracing the blockchain transactions that financed the platform. This financial trail aided law enforcement in identifying the suspected administrator and multiple purchasers.

“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and forces criminals to rebuild, retool, and take on more risk,” Coinbase said.

Coinbase further stated its active efforts to identify individuals who acquired Tycoon’s tools and its ongoing commitment to supporting law enforcement initiatives.

In 2025, the blockchain security firm CertiK identified phishing as the second-most significant threat to crypto users, resulting in $722 million in losses for investors across 248 separate incidents.

Despite an 83% reduction in overall phishing losses in 2025 compared to the previous year, attackers have persisted in developing sophisticated methods, such as exploits linked to EIP-7702 and Permit2 signature-based attacks.

 

According to a spokesperson from blockchain security firm PeckShield, who spoke to Cointelegraph, phishing continues to be a “persistent threat” in 2026.