A coordinated law‑enforcement and industry action disrupted Tycoon 2FA, a phishing‑as‑a‑service platform that used adversary‑in‑the‑middle proxies to bypass multi‑factor authentication. Authorities and industry partners seized hundreds of domains and said the takedown substantially reduced a high‑volume pipeline used for credential theft and BEC.

In early March 2026 Europol, Microsoft and multiple industry partners announced a coordinated disruption of Tycoon 2FA, a commercial phishing‑as‑a‑service platform that automated adversary‑in‑the‑middle proxying to defeat two‑factor authentication protections. Investigators linked Tycoon to millions of malicious messages and tens of thousands of confirmed account takeovers used in credential theft, business email compromise and follow‑on financial fraud. The operation seized and sinkholed hundreds of domains and infrastructure components, interrupted the platform's payment and hosting flows, and made evidence available for partner jurisdictions pursuing operators and resellers. Authorities and affected vendors said the takedown removed a high‑volume, commodified pipeline that lowered the technical bar for scalable MFA bypass attacks, materially reducing immediate fraud volume and closing avenues for rapid reuse of harvested credentials. Law‑enforcement and industry participants signaled ongoing monitoring for mirror services and affiliate networks, and urged organizations to strengthen anti‑phishing controls, conditional access policies and attacker‑resilient MFA implementations.