A global phishing-as-a-service platform designed to bypass multi-factor authentication (MFA) has been disrupted following a coordinated effort involving Europol and multiple cybersecurity organisations.
Trend Micro said its TrendAI threat intelligence capabilities played a key role in the takedown of Tycoon 2FA, a subscription-based phishing toolkit that enabled attackers to intercept authentication sessions and compromise accounts protected by MFA.
The operation involved cooperation between law enforcement and industry partners including Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Microsoft, Proofpoint, Resecurity, Shadowserver and SpyCloud. Trend Micro contributed intelligence on the platform’s infrastructure, campaigns and operators to support the enforcement action.
Tycoon 2FA first emerged in August 2023 and quickly became one of the more prominent phishing-as-a-service platforms using adversary-in-the-middle (AiTM) techniques. Instead of simply harvesting usernames and passwords, the service intercepted live authentication sessions, capturing credentials, one-time passcodes and session cookies in real time. Those cookies could then be replayed by attackers to gain account access, effectively bypassing MFA protections.
By the time of the disruption, the platform had around 2,000 users and had operated through more than 24,000 domains. Campaigns were primarily aimed at Microsoft 365 and other cloud-based services widely used by enterprises.
Trend Micro researchers said they had tracked the infrastructure and activity associated with the platform for an extended period. By November 2025, investigators had linked the service to an operator using the aliases “SaaadFridi” and “MrXaad”, believed to be the developer and primary administrator behind Tycoon 2FA. Historical activity suggested the individual had previously been involved in website defacement before moving into large-scale phishing toolkit development.
Robert McArdle, Director for Cybercrime Research at Trend Micro, described the service as an example of the industrialisation of identity-based cybercrime.
“This was not a single phishing campaign. It was an industrialised service built to make MFA bypass accessible to thousands of criminals,” McArdle said.
Phishing platforms like Tycoon 2FA often act as entry points for broader cybercrime operations. Credentials and session tokens harvested through AiTM campaigns are frequently sold on criminal marketplaces or passed to access brokers, who then monetise the access through business email compromise, data theft or ransomware attacks.
By lowering the technical barrier to entry, services such as Tycoon 2FA have expanded the number of attackers capable of launching advanced identity-based attacks.
While the disruption represents a setback for that ecosystem, security experts warn that similar services may emerge. Trend Micro said it will continue monitoring for attempts to rebuild or rebrand the platform using new infrastructure.
The takedown also highlights the growing importance of cross-industry cooperation in combating cybercrime operations that rely on distributed infrastructure and operate across multiple jurisdictions.
Security researchers say the case reinforces a broader lesson for organisations: MFA alone is no longer sufficient protection against adversary-in-the-middle phishing. Additional controls such as phishing-resistant authentication, conditional access policies, advanced email security and continuous monitoring of identity activity are increasingly necessary to detect and prevent account compromise.
