An international coalition led by Microsoft and Europol has taken down the operations of Tycoon 2FA, a notorious phishing-as-a-service platform that helped cyber criminals gain access to millions of email accounts across the globe.
Microsoft obtained a court order from the U.S. District Court from the Southern District of New York to seize 330 active domains used to back the core infrastructure of Tycoon 2FA.
“Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow-on attacks such a data theft, ransomware, business email compromise and financial fraud,” Steve Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post published Wednesday.
Tycoon 2FA, which had been active since 2023, grew into one of the largest phishing operations in the world. The attacks impacted more than 96,000 phishing victims globally since 2023. Microsoft said more than 55,000 of its customers were affected.
The service operated as an adversary-in-the-middle phishing kit, harvesting usernames, passwords and session cookies from Gmail and Microsoft 365 accounts, according to a blog post from Proofpoint, which was part of the coalition.
Tycoon 2FA had a widespread impact on businesses, health care providers and universities. More than 100 members of Health-ISAC were impacted, compromising the account credentials of staff members at these organizations. Health-ISAC was listed as a co-plaintiff on the court order.
“We saw firsthand how medical facilities were hit hardest,” Errol Weiss, chief security officer at Health-ISAC, told Cybersecurity Dive. “These attacks have tangible consequences, leading to diverted ambulances, disrupted hospital operations, and dangerous delays in patient care.”
Law enforcement agencies from the UK, Latvia, Poland, Spain and other parts of Europe participated in the operation, according to Europol.
