Coinbase and Microsoft Disrupt Tycoon 2FA Phishing Platform

Steady attention without excessive speculation.

Background on the Tycoon 2FA phishing platform

Tycoon 2FA emerged around 2024 as a phishing-as-a-service platform designed to help cybercriminals launch large-scale credential theft campaigns. The platform allowed attackers to deploy convincing phishing pages that imitated login portals from trusted services such as Microsoft 365.

These phishing kits captured sensitive information including usernames, passwords, authentication codes, and session tokens. By intercepting session tokens in real time, attackers could bypass multi-factor authentication systems and maintain persistent access to compromised accounts.

The service operated through a subscription model where users paid for access to phishing tools and infrastructure. Cryptocurrency was frequently used to fund subscriptions, domain registrations, and operational expenses, allowing operators to maintain pseudonymous payment channels.

Phishing campaigns powered by tools like Tycoon 2FA are commonly used for account takeovers, business email compromise attacks, invoice fraud, and broader social engineering schemes.

Coinbase and Microsoft disrupt Tycoon 2FA phishing platform

The operation to dismantle Tycoon 2FA involved multiple organizations working together to identify the infrastructure and individuals responsible for the service.

Microsoft led the legal action through its Digital Crimes Unit, securing a court order to seize domains used by the phishing platform. These domains have now been redirected to an official splash page indicating they were taken down as part of a coordinated enforcement effort.

Coinbase contributed by analyzing blockchain transactions tied to payments made within the Tycoon ecosystem. By tracing cryptocurrency flows, investigators were able to map relationships between the platform’s operators, infrastructure providers, and customers.

This analysis helped identify the suspected administrator of the platform, Saad Fridi, who investigators believe is based in Pakistan. Europol and additional law enforcement agencies are continuing investigations to identify other participants and customers associated with the service.

How Tycoon 2FA phishing attacks worked

Tycoon 2FA functioned as a turnkey service for cybercriminals. Subscribers gained access to phishing kits that replicated login pages of popular services, allowing attackers to trick users into entering credentials.

When a victim attempted to log in through the fake page, the system intercepted credentials and authentication codes in real time. The tool could also capture session tokens, enabling attackers to bypass authentication systems even after MFA verification.

Once attackers obtained these credentials, they could gain full access to accounts, conduct financial fraud, or launch additional phishing campaigns from compromised accounts.

The service’s subscription model generated ongoing revenue streams, often paid through cryptocurrency transactions that helped obscure the identity of participants.

Impact of the takedown on phishing infrastructure

By dismantling core infrastructure and seizing domains associated with the platform, the operation disrupts the operational capabilities of the Tycoon 2FA ecosystem.

Removing these services forces attackers to rebuild infrastructure from scratch, increasing operational costs and reducing the efficiency of large-scale phishing campaigns.

The case also highlights how blockchain analysis can play a role in identifying criminal networks that rely on cryptocurrency for payments and operational funding.

Industry implications for crypto and cybersecurity

The operation reflects a growing trend of collaboration between technology companies, crypto firms, and law enforcement agencies to combat digital fraud.

Coinbase emphasized that it actively works with global partners to track illicit blockchain activity and support investigations targeting cybercrime networks. Microsoft has similarly expanded its legal and technical efforts to disrupt phishing infrastructure that abuses its services.

Security researchers note that phishing remains one of the largest threats to both crypto users and traditional financial platforms. Large-scale enforcement actions like this one may help slow the growth of phishing-as-a-service ecosystems.

As phishing infrastructure continues to evolve, cross-industry cooperation between exchanges, technology providers, and regulators will likely play an increasing role in protecting users and maintaining trust in digital systems.