Tycoon 2FA phishing service taken down: Europol, Coinbase

The criminals sold "two factor authentication bypass" as a feature. The rest of us called it phishing, because words still mean things, sure. This week, a public private coalition led by Europol, Microsoft, and Coinbase said it dismantled key infrastructure behind Tycoon 2FA, a phishing as a service operation that specialized in tricking victims even after they entered a one time code. ^[1]

The scale was not subtle. Microsoft said Tycoon 2FA represented 62% of the phishing attempts it blocked by mid last year, including more than 30 million phishing emails in a single month. ^[2] Europol added that Microsoft helped block 330 domains tied to the operation, while law enforcement seized additional infrastructure used to keep the service running. ^[1]

Crypto News Summary March 4

Enjoy articles without ads?

What happened, in plain terms

Tycoon 2FA was marketed like a subscription product for criminals. Instead of each scammer building their own phishing pages and delivery systems, Tycoon 2FA provided templates, hosting, and tooling designed to capture credentials and defeat multi factor authentication (MFA), the extra verification step people rely on to protect email, exchange logins, and enterprise accounts.

Europol described the takedown as a coordinated action targeting the platform's "core infrastructure." Microsoft's role included identifying and blocking hundreds of domains associated with Tycoon 2FA's operations. Coinbase said it contributed by helping trace the financial flows that supported the service, including on chain activity used for payments. ^[3]

If you are looking for a single "off switch," you will be disappointed. These operations survive by rotating domains, renting servers, and migrating to new providers when pressured. Still, taking away the platform's backbone raises costs for affiliates and creates a window where defenders can clean up compromised accounts.

Why Tycoon 2FA mattered to crypto and everyone else

The name is niche, but the technique is mainstream. "2FA phishing" typically works by putting a malicious page between the victim and the real login page. Victims enter a username, password, and the MFA code. The attacker uses those details immediately, sometimes capturing a valid session cookie (a token that keeps you logged in) and then bypasses the need for MFA on the attacker's own device.

That matters to crypto because:

Exchange accounts are high value targets and often protected by MFA.
Email compromise is often the real prize, because password resets and account recovery flows go through email.
Enterprise accounts hold admin privileges and internal data, making them leverage points for broader attacks, including social engineering against finance teams.

Europol's framing also reflects a wider reality: phishing is still the workhorse of cybercrime. It scales cheaply, and "as a service" toolkits industrialize it.

Taiwan Indicts 62 After $339M Laundered From Cambodia Crypto-Scam Compounds

The numbers that explain the urgency

Microsoft's statistics do the heavy lifting here:

62% of the phishing attempts Microsoft blocked by mid last year were attributed to Tycoon 2FA activity.
30 million plus emails in one month were linked to Tycoon 2FA campaigns, per Microsoft's reporting. ^[2]

Those figures suggest Tycoon 2FA was not a boutique operation. It was infrastructure used by many actors, pushing high volume campaigns that looked enough like legitimate sign in flows to catch victims at scale.

Europol's detail on domains provides another useful datapoint:

330 domains were blocked with Microsoft's assistance, according to Europol.

Domain scale matters because it signals operational maturity. Phishing crews that can burn through hundreds of domains are not improvising, they are running a supply chain.

Coinbase's angle: follow the money, including on chain

Coinbase said it supported the operation through financial tracing, including blockchain related investigations. This is the less flashy part of disruption, but it is often the part that sticks. ^[3]

Phishing as a service platforms need payment rails, affiliate payouts, infrastructure spend, and sometimes escrow like arrangements with resellers. Crypto is not the only payment method criminals use, but it is common enough that tracing can create attribution breadcrumbs: wallet clusters, cash out points, and links to other campaigns.

Two practical takeaways follow:

On chain transparency is useful when investigators have starting points. Wallet activity can connect providers, resellers, and buyers in ways traditional payment methods might not.
Disruption is not only about servers. If investigators can pressure cash out routes and payment facilitators, the platform becomes harder to monetize, even if the codebase survives.

Coinbase did not present this as a victory lap for crypto. The message was more like: criminals used it, so investigators followed it.

Trump Met Coinbase CEO Brian Armstrong, Then Unloaded on Banks Over Crypto Bill

How takedowns actually work (and what they do not solve)

Europol's announcement emphasized coordinated action across private companies and law enforcement. Microsoft contributed domain identification and blocking. Law enforcement seized infrastructure. Coinbase supported tracing.

That combination is the modern playbook: tech platforms see the traffic patterns first, and law enforcement has the authority to seize assets and pursue operators.

Still, no takedown is a permanent cure. Three limits are worth keeping in mind:

Rebrands are cheap. A service can resurface under a new name with minor code changes and fresh domains.
Affiliates already have victim lists. Even if infrastructure is hit, stolen credentials and session tokens may continue to be abused until accounts are secured.
Defenses fail at the user interface layer. If victims can be convinced to enter credentials into a fake page, the attacker's "product market fit" remains intact.

So yes, infrastructure disruption helps. It just does not end phishing.

Key takeaways

1) Tycoon 2FA was not a side show

When a single platform accounts for 62% of blocked phishing attempts in a major ecosystem, it is effectively an industry utility for criminals.

2) Domain and infrastructure pressure raises attacker costs

Blocking 330 domains and seizing infrastructure forces churn. That reduces campaign uptime and breaks automation pipelines.

3) Crypto tracing is now routine in cyber disruption work

Coinbase's participation highlights that blockchain analytics is increasingly part of standard incident response and enforcement, not a special category.

What to watch next

Expect the following over the next 30 to 90 days:

Clone platforms and "new" brands that look suspiciously similar to Tycoon 2FA, because of course.
Increased use of device bound credentials like passkeys (FIDO based logins) by major platforms. Passkeys reduce the value of stolen passwords and many MFA phishing tricks because the credential is tied to the real domain and device.
More emphasis on session protection, including shorter session lifetimes, risk based reauthentication, and detection of "impossible travel" logins.
Follow on arrests and asset actions, if investigators can connect infrastructure seizures and payment tracing to specific operators.

For users and organizations, the boring advice remains the most effective: use passkeys or hardware security keys where available, verify domains before logging in, and treat unexpected "account alert" emails as hostile until proven otherwise. Phishing does not need innovation, it just needs someone to click.

Tycoon 2FA Phishing-as-a-Service Network Dismantled by Coinbase, Microsoft and Europol