International law enforcement agencies have launched a major crackdown against the Tycoon 2FA phishing-as-a-service platform, which had emerged as a significant threat to global cybersecurity. Led by Europol, the joint operation successfully disabled the criminal network. Investigations revealed that the platform had been active since 2023 and was linked to more than 64,000 cyber fraud incidents.
Subscription-Based AitM Toolkit
Tycoon 2FA was a subscription-based phishing toolkit designed to help cybercriminals carry out adversary-in-the-middle (AitM) credential harvesting attacks. The platform was reportedly sold through messaging channels such as Telegram and Signal. The entry-level access cost around $120 for 10 days, while a one-month web-based administration panel subscription was available for about $350.
Reports suggest that the primary developer of the toolkit is suspected to be a Pakistan-based individual named Saad Fridi, though authorities have not officially confirmed this. The platform enabled cybercriminals to create fake login pages mimicking popular services such as Microsoft 365, Outlook, OneDrive, SharePoint, and Gmail to steal user credentials.
Experts said the system was not limited to password theft but was also capable of bypassing multi-factor authentication (MFA) security. The toolkit could intercept OTP codes, session cookies, and login credentials in real time and transmit them to the operator’s control panel or Telegram channel. This helped criminals maintain unauthorized access even if victims changed their passwords.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
Billions of Phishing Emails
The network was reportedly responsible for sending billions of phishing emails every month. Joint analysis by security agencies and private cybersecurity companies showed that Tycoon 2FA targeted multiple sectors including educational institutions, hospitals, financial services, non-profit organizations, and government bodies.
During the operation, 330 domains forming part of the criminal infrastructure were shut down. These domains primarily functioned as phishing pages, control panels, and redirection servers. Investigators noted that cybercriminals used cloud security platforms to hide their identities.
Advanced Evasion Techniques
The investigation also revealed that the platform employed techniques such as keystroke monitoring, browser fingerprinting, code obfuscation, and custom CAPTCHA systems to evade detection. Many domains remained active for only 24 to 72 hours, making it difficult to create reliable blocklists.
Cybersecurity firms estimated that campaigns linked to Tycoon 2FA delivered phishing emails to more than 500,000 organizations worldwide. Victims were identified in several countries including the United States, the United Kingdom, Canada, France, and India. In India alone, more than 7,000 users were reportedly targeted.
Experts warned that the primary objective of such attacks is to gain control of enterprise email accounts, which can later be used for ransomware attacks or sensitive data theft. Reports noted that in several cases accounts were compromised despite MFA protection because attackers intercepted session tokens and cookie data.
User Protection Advised
Authorities have urged citizens and organizations to avoid clicking on unknown links, carefully verify website URLs before logging in, and report suspicious emails or messages immediately. Cybersecurity experts emphasized that strong password management and regular session logout practices are essential for protecting digital identities.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
