SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Dark binary figure cuffed cloud breach phishing mfa takedown
#
Ransomware
#
MFA
#
Crypto

Tycoon 2FA phishing service disrupted in major sting

Mon, 9th Mar 2026
Author image
By Mark Tarre, News Chief

Law enforcement, working with a coalition of technology and security firms, has disrupted Tycoon 2FA, a phishing-as-a-service operation that specialists say was used to bypass multi-factor authentication and compromise online accounts at scale.

TrendAI said it worked with Europol and Microsoft in a long-running investigation that tracked the service's infrastructure and activity. Other partners included Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, Shadowserver and SpyCloud.

Phishing service

Tycoon 2FA operated as a subscription-based toolkit that gave criminals access to pre-built phishing flows and supporting infrastructure. It targeted widely used cloud and email services, including Microsoft 365 and Gmail, TrendAI said.

Phishing-as-a-service offerings have expanded in recent years as criminal groups standardise tools and sell them to other offenders. The model lowers the bar for running campaigns and increases the volume of attempted intrusions organisations face.

TrendAI described Tycoon 2FA as using adversary-in-the-middle techniques that went beyond collecting usernames and passwords. The platform intercepted live authentication sessions and captured one-time passcodes and session cookies in real time.

Session cookies can serve as proof that a user has already authenticated. Security researchers say criminals can replay them to access accounts without repeating the sign-in process, weakening protections that rely on multi-factor authentication at login.

Scale and use

At the time of the disruption, the service had around 2,000 users, according to TrendAI. The operation also leveraged more than 24,000 domains since emerging in 2023.

Campaigns focused largely on Microsoft 365 and other cloud services. TrendAI also said the platform targeted common enterprise tools, a pattern that has made cloud identity and access systems frequent targets for fraud and intrusion attempts.

Industry specialists often link phishing services to downstream crimes such as business email compromise and data theft. Access obtained through stolen credentials or hijacked sessions can also be sold to other criminals, including groups that deploy ransomware.

Investigation work

TrendAI said its researchers tracked the platform's infrastructure, campaigns and operator behaviour over an extended period. By November 2025, it had linked Tycoon 2FA to an actor using the monikers SaaadFridi and MrXaad.

The firm assessed that person as the developer and primary operator behind the service. It also said historical activity suggested earlier involvement in web defacement before a shift into phishing kit development.

TrendAI said it shared details on tooling, infrastructure patterns and operational behaviour with Europol as part of coordinated action. It did not provide operational details of the enforcement activity.

Industry coordination

The disruption of Tycoon 2FA reflects a broader trend in cybercrime enforcement. Investigators and private-sector partners increasingly target shared infrastructure, domain portfolios and service operators rather than single campaigns.

Phishing platforms often rely on distributed hosting and domain registration across multiple jurisdictions, supported by a large pool of paying customers. That structure can complicate disruption efforts and may lead to rapid re-emergence under new names or with altered infrastructure.

"This was not a single phishing campaign. It was an industrialised service built to make MFA bypass accessible to thousands of criminals," said Robert McArdle, TrendAI's Director for Cybercrime Research.

"Identity is now the primary attack surface. When session hijacking can be packaged and sold as a subscription, the risk shifts from isolated incidents to systemic exposure," McArdle said.

What comes next

TrendAI said it expects attempts to rebuild or rebrand the service and will continue monitoring for new infrastructure. It also said it is supporting follow-on investigations into identified users and administrators.

The firm warned that previously stolen credentials and session cookies may remain in circulation, leaving organisations exposed even after a takedown-particularly where session controls, device policies and anomaly monitoring are weak.

"The disruption of Tycoon 2FA shows what is possible when intelligence is acted on, not just observed," McArdle said.

"We will continue to track the actors, the infrastructure, and the users behind these services to protect our customers and raise the cost of operating in this ecosystem," he said.

Related stories
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack