TLDR
- Coinbase, Microsoft, and Europol took down Tycoon 2FA, one of the world’s largest phishing-as-a-service platforms
- Tycoon 2FA accounted for 62% of all phishing attempts blocked by Microsoft by mid-2025, including 30 million emails in one month
- The platform bypassed multi-factor authentication by stealing session cookies and tokens
- Coinbase traced blockchain transactions to help identify the platform’s alleged administrator and buyers
- Phishing losses dropped 83% in 2025, but attackers are using increasingly advanced techniques
A coalition of tech companies and law enforcement took down one of the world’s biggest phishing platforms this week. Coinbase, Microsoft, and Europol announced Wednesday they dismantled the core infrastructure of Tycoon 2FA.
If you want to commit crime, I’d suggest you find somewhere else to do it. We don’t have an elite team of investigators and former prosecutors just because. https://t.co/DPi1uHi0n5
— Paul Grewal (@iampaulgrewal) March 4, 2026
Tycoon 2FA was a phishing-as-a-service platform. It sold subscription-based toolkits that let criminals steal login credentials and bypass multi-factor authentication (MFA).
The platform has been active since at least 2023. By mid-2025, it accounted for 62% of all phishing attempts blocked by Microsoft.
At its peak, Tycoon generated tens of millions of phishing emails every month. It facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions.
Microsoft blocked 330 domains tied to the platform. Law enforcement also seized additional key infrastructure as part of the operation.
How the Platform Bypassed Multi-Factor Authentication
Tycoon’s toolkit included spoofed landing pages designed to look like legitimate websites. When a user logged in, the platform captured their session cookies and tokens.
A session token is proof that a user has already authenticated. If a hacker steals that token, they can use it to access the account without triggering MFA prompts again.
“That combination — high-fidelity lures plus session-token theft — turns phishing into a reliable on-ramp for bigger crimes like account takeovers, business email compromise, invoice fraud,” Coinbase said.
By lowering the technical barrier, Tycoon allowed criminals with limited skills to run sophisticated campaigns. Industries from healthcare to education were affected, resulting in stolen data, rerouted invoices, and disruptions to patient care.
Coinbase’s Role in Tracing Crypto Transactions
Coinbase played a key role by tracing blockchain transactions used to fund the platform. That financial trail helped law enforcement identify the alleged administrator and several buyers.
“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and forces criminals to rebuild, retool, and take on more risk,” Coinbase said.
Coinbase also said it is actively working to identify people who purchased Tycoon’s tools and will continue supporting law enforcement efforts.
Phishing was flagged as the second-largest threat to crypto users in 2025 by blockchain security firm CertiK, costing investors $722 million across 248 incidents.
Overall phishing losses dropped 83% in 2025 compared to the prior year. However, attackers have continued developing advanced techniques, including exploits tied to EIP-7702 and Permit2 signature-based attacks.
A spokesperson from blockchain security firm PeckShield told Cointelegraph that phishing remains a “persistent threat” in 2026.
