The Takedown of Tycoon 2FA

Last Updated on March 24, 2026 by Arnav Sharma

On 4 March 2026, one of the most significant phishing infrastructure takedowns in recent memory was executed quietly, without a single arrest. Microsoft’s Digital Crimes Unit (DCU), working alongside Europol and a coalition of 11 security firms spanning six countries, dismantled Tycoon 2FA: a Phishing-as-a-Service (PhaaS) platform that spent three years industrialising the bypass of multi-factor authentication at a scale most defenders hadn’t anticipated.

This wasn’t just a phishing kit getting taken offline. It was the dismantling of a fully-fledged criminal SaaS business, one that sold account compromise capabilities to approximately 2,000 subscribers, enabled attacks across more than 500,000 organisations every single month, and by mid-2025 was responsible for 62% of all phishing attempts Microsoft blocked. Let that sink in. Sixty-two percent.

Here’s the full story, including how the platform worked under the hood, why traditional MFA didn’t stop it, and what defenders need to do differently now.

What Was Tycoon 2FA?

Tycoon 2FA first surfaced in August 2023, widely believed to be a fork of the earlier “Dadsec” phishing kit. But it evolved quickly, and that evolution is what made it dangerous. Within months it became one of the most widespread PhaaS platforms on the market, powering campaigns that pushed tens of millions of phishing messages to over 500,000 organisations monthly.

Microsoft’s threat intelligence team tracks the developer behind it as Storm-1747. The platform was sold through a private Telegram channel called “Saad Tycoon Group,” and pricing was deliberately accessible: around $120 USD for 10 days of panel access, or $350 for a full month. That’s less than a Netflix subscription to launch a sophisticated MFA-bypassing phishing campaign.

By the time the takedown happened, Tycoon 2FA had accumulated roughly 2,000 subscribers and had used over 24,000 domains since launch. It wasn’t a tool for elite hackers. It was a product built to make sophisticated attacks accessible to anyone willing to pay.

The Adversary-in-the-Middle Engine: Why MFA Didn’t Save You

This is the part most defenders underestimate. Tycoon 2FA wasn’t a traditional phishing kit that cloned a login page and stole your password. It was an Adversary-in-the-Middle (AitM) transparent reverse proxy, and that distinction matters enormously.

Think of it this way. A classic phishing page is a forgery: a fake storefront designed to look like the real thing. AitM is different. It’s more like a man standing between you and the real shop, silently copying your transaction as it happens in real time. You think you’re talking to Microsoft 365. You’re actually talking to Tycoon, which relays everything to Microsoft and intercepts the session token on the way back.

The Attack Flow, Step by Step

1. The victim receives a phishing email with a lure attachment (.pdf, .html, .svg, .docx, QR code, or EML file).
2. Clicking the link lands them on what looks exactly like a Microsoft 365 or Gmail sign-in page, because Tycoon is proxying the real page in real time.
3. The victim enters their credentials and MFA code. Tycoon passes everything to the legitimate service while silently capturing username, password, MFA code, and most critically, the session cookie.
4. The attacker imports that stolen session token into their own browser. MFA has been completed legitimately on the victim’s behalf. The attacker is now fully authenticated.
5. Even after a password reset, the attacker retains access, because the session cookie is still valid until explicitly revoked.

That last point is where a lot of incident response efforts have fallen short. Resetting a compromised account’s password and calling it done is not sufficient when session tokens haven’t been revoked. I’ve seen this exact mistake play out in post-incident reviews.

Technical Architecture: What Made Detection So Hard

Infrastructure Abuse

Tycoon 2FA abused Cloudflare Workers as its proxy backbone, routing phishing traffic through Workers projects to steal credentials and session tokens for high-value platforms including Microsoft 365, GoDaddy, and Okta. When a victim interacted with a campaign, the Worker returned heavily obfuscated HTML that loaded the core proxy logic.

The scripts were engineered specifically to defeat analysis. They checked for automation markers like navigator.webdriver or PhantomJS. They disabled right-click menus and common keyboard shortcuts like F12 and Ctrl+U. They even used a debugger loop measuring JavaScript processing lag, and if the delay exceeded 100ms (a sign that browser Developer Tools were open), the script immediately redirected the visitor to a benign site like Overstock or Amazon. By the time a researcher noticed, there was nothing to see.

Header Manipulation and Cookie Stripping

The kit dynamically adjusted Referer, Origin, and Host headers to bypass browser same-origin policies. After a successful login, Set-Cookie headers from the real service were intercepted and stripped of their HttpOnly and Secure flags, making them accessible for exfiltration. Attackers used Let’s Encrypt to generate legitimate TLS certificates for phishing domains, so browser padlock warnings were absent.

Domain Infrastructure and Fast-Flux Tactics

Tycoon 2FA generated large numbers of subdomains for individual campaigns, burned through them in 24-72 hours, then rotated to new ones. The parent root domains persisted for weeks or months, but campaign-specific FQDNs were short-lived, making traditional blocklists unreliable.

Over time, subdomain naming shifted toward recognisable, workflow-adjacent words: cloud, desktop, application, survey, python, terminal, xml, faq. These patterns blended into normal enterprise DNS traffic and were harder to flag than high-entropy algorithmically generated strings.

The Admin Panel

Tycoon 2FA provided each subscriber with a fully-featured web-based admin dashboard. It included pre-built templates for common lure formats, attachment generators for QR codes and PDFs, redirect chain configuration, real-time victim tracking (valid/invalid logins, browser type, location, MFA status), automated subdomain rotation, and data exfiltration to Telegram bots. It was genuinely well-built software, designed to be usable even by operators with minimal technical skill.

Scale and Real-World Impact

The numbers are staggering. By mid-2025, Tycoon 2FA accounted for around 62% of all phishing attempts Microsoft blocked, including over 30 million malicious emails in a single month.

SpyCloud’s analysis of exposed panel data revealed 328,865 exposed entries, representing over 173,000 unique email addresses, 67,000 usernames, and 264,000 passwords. About 80% of those accounts were enterprise (non-freemail) Microsoft 365 or Google Workspace accounts.

Healthcare and education were hit particularly hard. Over 100 members of Health-ISAC were successfully phished. In New York alone, at least two hospitals, six municipal schools, and three universities experienced attempted or confirmed compromise, leading to disrupted operations, diverted resources, and in some cases, delayed patient care.

The Proofpoint data paints an even bleaker picture of the broader trend: in 2025, 99% of organisations experienced account takeover attempts, 67% suffered a successful account takeover, and of those, 59% of the compromised accounts had MFA enabled. This is the systemic impact of AitM phishing done at scale.

The Criminal Business Behind It

Tycoon 2FA wasn’t a hobbyist project. The primary developer, Saad Fridi, believed to be based in Pakistan and operating under the handles “SaaadFridi” and “Mr_Xaad,” worked alongside partners handling marketing, payments, and technical support. Historical activity showed Fridi previously focused on web defacements before pivoting to building and running this kit.

The platform functioned as one piece of a larger criminal supply chain. While Tycoon 2FA captured credentials and session tokens, other specialised services handled mass email delivery, malware distribution, bulletproof hosting, and access monetisation. RedVDS, disrupted by Microsoft in January 2026, provided cheap virtual machines that attackers paired with Tycoon 2FA to run campaigns at scale. The operator of Tycoon 2FA was also in communication with the now-arrested developer of RaccoonO365, another phishing service, illustrating how tightly interconnected these criminal ecosystems are.

Once a victim’s authenticated session was captured, subscribers typically moved on to Business Email Compromise (BEC): sending fraudulent invoices or payment redirection requests from trusted, authenticated email addresses. The financial losses from downstream BEC activity are difficult to quantify but likely substantial.

The Takedown: How the Coalition Pulled It Off

Legal Action

Microsoft and Health-ISAC filed a civil complaint against Saad Fridi and four unnamed associates in the US District Court for the Southern District of New York, seeking a $10 million injunction. The Temporary Restraining Order was signed on 26 February 2026, giving Microsoft the legal authority to seize 330 active domains that powered Tycoon 2FA’s core infrastructure, including its control panels and phishing pages.

Simultaneous Multi-Country Seizures

Law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom simultaneously seized Tycoon 2FA infrastructure and conducted additional operational measures, coordinated through Europol’s Cyber Intelligence Extension Programme (CIEP) under the EMPACT framework.

The Private Sector Coalition

The operation involved 11 private sector partners: Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Proofpoint, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI. Each brought something specific:

• Cloudflare executed a technical takedown of all Workers projects and infrastructure abused by the kit.
• Coinbase tracked cryptocurrency payments used by the criminal operators.
• Shadowserver Foundation alerted over 200 national CERTs globally.
• TrendAI (Trend Micro) passed crucial threat intelligence to law enforcement and identified the primary operator through alias analysis.
• SpyCloud contributed deep victimology data from exposed panel records.

When the seizure was executed, every one of Tycoon 2FA’s roughly 2,000 criminal subscribers saw their dashboard replaced with a splash screen listing every coalition partner involved. The platform went dark in one coordinated move.

“This was not a single phishing campaign. It was an industrialised service built to make MFA bypass accessible to thousands of criminals. Identity is now the primary attack surface. When session hijacking can be packaged and sold as a subscription, the risk shifts from isolated incidents to systemic exposure.” — Robert McArdle, Director for Cybercrime Research, TrendAI

Johannes Ullrich, Dean of Research at the SANS Institute, offered a measured take: the disruption will set back Tycoon 2FA’s operations, but PhaaS platforms are less dependent on specific domains than malware C2 infrastructure. A rebuild is plausible. Still, even a temporary reprieve from 30 million monthly malicious emails is worth something.

The Bigger Picture: Cybercrime-as-a-Service

The Tycoon 2FA takedown is a window into how the modern cybercrime economy actually functions. Its rise likely accelerated after disruptions of rival platforms like Caffeine and RaccoonO365. When one PhaaS platform goes down, its subscriber base doesn’t disappear. They migrate to the next available option. That’s the nature of a mature criminal marketplace.

Tycoon 2FA isn’t the only platform offering effective MFA bypass. Platforms like “VoidProxy” and the more recently documented “Starkiller” tool use similar AitM approaches to capture session tokens. The tools change. The attack pattern doesn’t.

AitM proxying for session hijacking is now a commodity. Threat actors don’t need to build this capability themselves. They just subscribe. That’s the threat model security teams need to be designing controls around.

Final Thoughts

The Tycoon 2FA takedown represents the kind of coordinated enforcement action the industry needs more of: simultaneous legal action, technical infrastructure disruption, cross-border law enforcement, and private sector threat intelligence all executing together. The result was every criminal subscriber’s dashboard getting replaced with a seizure notice in a single coordinated moment.

But as the experts involved were quick to point out, this is a reprieve, not a resolution. The underlying vulnerability, session token theft via AitM proxying, remains fully exploitable. The only defence that closes the door completely is phishing-resistant authentication.

If your organisation is still relying on SMS OTP or authenticator app push notifications as your primary MFA control, the Tycoon 2FA story is the clearest case study available for why that needs to change.

Arnav Sharma Microsoft MVPMCT

Microsoft Certified Trainer · Cloud · Cybersecurity · AI

I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.

LinkedIn Twitter / X 📖 Mastering Azure Security Book a Session