Key Takeaways
- A collaborative operation involving Coinbase, Microsoft, and Europol successfully dismantled Tycoon 2FA, a massive phishing-as-a-service operation
- By the middle of 2025, Tycoon 2FA was responsible for 62% of phishing attempts that Microsoft intercepted, generating 30 million malicious emails monthly
- The operation exploited multi-factor authentication vulnerabilities by capturing session cookies and authentication tokens
- Coinbase utilized blockchain forensics to track financial transactions, leading investigators to the platform’s suspected administrator and customers
- Despite an 83% decline in phishing-related losses during 2025, cybercriminals continue deploying more sophisticated attack methods
This week witnessed a significant victory in the fight against cybercrime as a partnership between major technology firms and international law enforcement successfully dismantled a sprawling phishing operation. On Wednesday, Coinbase, Microsoft, and Europol jointly announced they had taken down the primary infrastructure supporting Tycoon 2FA.
Tycoon 2FA operated as a phishing-as-a-service enterprise, offering criminals subscription-based access to advanced toolkits designed to harvest login credentials and circumvent multi-factor authentication protections.
The criminal platform had been operational since 2023 at minimum. By the midpoint of 2025, Tycoon 2FA was responsible for an astounding 62% of all phishing attempts that Microsoft successfully intercepted.
During its operational peak, the platform generated tens of millions of malicious emails monthly. The service enabled unauthorized intrusions into approximately 100,000 organizations across the globe, affecting diverse sectors including educational institutions, healthcare facilities, and government agencies.
Microsoft successfully blocked 330 domain names associated with the operation. Simultaneously, law enforcement agencies confiscated additional critical infrastructure components during the coordinated takedown.
Breaking Through Multi-Factor Authentication Defenses
The Tycoon platform provided criminals with sophisticated phishing kits featuring convincing replica pages that mimicked authentic websites. When unsuspecting users entered their credentials, the system captured their session cookies and authentication tokens.
Session tokens serve as digital proof that a user has completed the authentication process. Once a cybercriminal obtains these tokens, they can hijack the authenticated session without triggering additional MFA verification requests.
“This powerful combination — convincing fake pages combined with session-token interception — transforms phishing into an effective gateway for more serious criminal activities including account takeovers, business email compromise schemes, and invoice fraud,” Coinbase explained.
By eliminating technical barriers to entry, Tycoon enabled even relatively unskilled criminals to execute advanced phishing campaigns. The platform’s reach extended across multiple sectors from medical services to academic institutions, resulting in compromised data, fraudulent payment redirections, and interruptions to critical services like patient care.
How Coinbase Used Blockchain Forensics to Track the Operation
Coinbase contributed critical investigative support by analyzing blockchain transaction records associated with the platform’s financial operations. This digital money trail provided investigators with crucial intelligence that helped identify the suspected platform administrator and multiple customers.
“Dismantling Tycoon’s primary infrastructure eliminates a significant channel for credential theft and compels cybercriminals to restart their operations from scratch, adopt new tools, and accept greater exposure to detection,” Coinbase stated.
The cryptocurrency exchange confirmed it continues working to identify individuals who acquired Tycoon’s criminal tools and remains committed to supporting ongoing law enforcement investigations.
Blockchain security company CertiK identified phishing as the second most significant threat facing cryptocurrency users in 2025, with investors losing $722 million across 248 separate incidents.
While overall phishing-related losses declined by 83% in 2025 compared to the previous year, threat actors have continued evolving their tactics, including exploits leveraging EIP-7702 vulnerabilities and Permit2 signature-based attack vectors.
A representative from blockchain security company PeckShield informed Cointelegraph that phishing continues to represent a “persistent threat” heading into 2026.
