Law enforcement and security firms successfully dismantled Tycoon 2FA, a massive phishing-as-a-service platform that enabled criminals to bypass multi-factor authentication and harvest credentials. The operation, which targeted nearly 100,000 organizations, resulted in the seizure of 330 domains and the identification of the toolkit's primary developer.
Tycoon 2FA emerged in August 2023 as a subscription-based toolkit sold on encrypted messaging apps for prices starting at 120 dollars. It allowed even low-skilled attackers to launch sophisticated adversary-in-the-middle attacks by using a centralized administration panel to manage malicious campaigns. This infrastructure provided everything from pre-built templates to hosting configurations, making it one of the largest and most accessible phishing operations in the world.
The platform was designed to intercept sensitive data including login credentials, multi-factor authentication codes, and session cookies in real time. Operators could monitor their victims through the web panel or receive stolen data directly via Telegram bots. This efficiency allowed the service to facilitate unauthorized access to a vast array of targets, including schools, hospitals, and public institutions across the globe.
By 2025, Tycoon 2FA had become the most prolific phishing platform observed by major tech companies, accounting for more than half of all blocked phishing attempts. Microsoft reported blocking over 13 million malicious emails linked to the service in a single month during its peak. The scale of the operation was immense, with the toolkit being linked to over 64,000 distinct phishing incidents and tens of millions of fraudulent emails monthly.
A coordinated international effort eventually led to the takedown of the 330 domains that formed the backbone of the service's criminal infrastructure. Investigators identified the primary developer as Saad Fridi, who allegedly operated the service from Pakistan. This disruption significantly hindered the ability of thousands of cybercriminals to continue their covert access to email and cloud-based service accounts.
Despite the success of the takedown, the impact of Tycoon 2FA remains significant with an estimated 96,000 distinct victims identified worldwide since its inception. Security experts continue to monitor the landscape for similar toolkits that leverage the same adversary-in-the-middle techniques. The dismantling of this specific network serves as a major victory for global cybersecurity and a warning to those operating similar subscription-based criminal services.
Source: Europol-Led Operation Shuts Down Tycoon 2FA Phishing Service Linked to 64,000 Attacks