- Trending
- Comments
- Latest
Law enforcement agencies dismantled the Tycoon 2FA phishing network this week, a subscription-based cybercrime platform that generated tens of millions of phishing emails monthly and affected nearly 100,000 organizations globally.
The operation involved Coinbase analyzing blockchain payment trails, Microsoft providing security data, and Europol coordinating the international takedown, marking a rare coordinated victory against phishing-as-a-service infrastructure.
In a statement released Wednesday, Coinbase said its security team helped trace blockchain transactions connected to the Tycoon 2FA phishing network, which ultimately assisted investigators in identifying the suspected operator of the platform as well as several of its users.
According to Coinbase, analysts followed cryptocurrency payment trails used to purchase access to the Tycoon 2FA phishing network, allowing authorities to link the activity to specific individuals.
“Through blockchain intelligence, we were able to trace transactions associated with the service and support law enforcement efforts,” Coinbase said in its announcement.
The exchange added that the investigation into the Tycoon 2FA phishing network is ongoing. The company said it is continuing to work with law enforcement agencies to identify people who bought or used the service.
“We’re actively working to identify Tycoon purchasers and will continue supporting law enforcement efforts focused on the people who bought and used this service to target victims,” the company said.
Investigators believe the platform has been operating since at least 2023, giving cybercriminals years to exploit the infrastructure provided by the Tycoon 2FA phishing network.
Authorities say the Tycoon 2FA phishing network was particularly dangerous because it enabled attackers to bypass multi-factor authentication safeguards that many users rely on for protection.
According to Europol, the service sold a phishing toolkit through a subscription model, providing cybercriminals with ready-made tools designed to intercept live authentication sessions.
Instead of stealing passwords alone, the Tycoon 2FA phishing network captured session cookies from victims who had already logged in successfully. By hijacking these session tokens, attackers could access accounts without triggering additional security prompts.
Coinbase explained that the toolkit essentially allowed criminals to “piggyback” on an already authenticated session. Once the session cookie was captured, attackers could enter the account as if they were the legitimate user.
That technique made the Tycoon 2FA phishing network highly effective against accounts protected by advanced security layers, including multi-factor authentication systems used by financial services, technology companies, and government institutions.
Cybersecurity analysts say such tools represent a shift toward more automated phishing-as-a-service operations.
Law enforcement officials say the Tycoon 2FA phishing network operated at an industrial scale.
According to Europol, the platform generated tens of millions of phishing emails each month, targeting individuals and organizations worldwide.
These campaigns were used to steal login credentials and session data from a wide range of victims, including schools, hospitals, and public institutions.
By mid-2025, researchers said the Tycoon 2FA phishing network had become one of the most dominant phishing platforms in operation.
Microsoft reported that the Tycoon 2FA phishing network accounted for nearly 62% of all phishing attempts blocked by its security systems during that period.
The scale of the attacks meant that nearly 100,000 organizations globally were affected by activity linked to the Tycoon 2FA phishing network, making it one of the largest phishing operations uncovered in recent years.
Security experts say the takedown could disrupt a large portion of phishing activity that relied on the platform’s infrastructure.
Despite the dismantling of the Tycoon 2FA phishing network, cybersecurity experts warn that phishing attacks remain a significant risk for cryptocurrency users and online platforms.
Recent industry data shows that losses from phishing attacks dropped sharply in 2025 compared with the previous year. However, attackers have continued to develop more advanced techniques to bypass security protections.
Some campaigns now exploit features tied to blockchain standards such as EIP-7702, as well as signature-based authorization tools like Permit2.
These methods can trick users into authorizing malicious transactions, allowing hackers to drain wallets without directly stealing login credentials.
Meanwhile, blockchain security firm CertiK reported that phishing remained the third most expensive type of cyberattack in 2025, highlighting how persistent the threat remains.
Experts say the shutdown of the Tycoon 2FA phishing network is an important victory, but it will not end phishing attacks entirely.
“Cybercriminals constantly evolve their tactics,” cybersecurity researchers have warned. “As long as there is financial value online, phishing campaigns will continue to adapt.”
Authorities say investigations connected to the Tycoon 2FA phishing network are ongoing, and additional arrests or enforcement actions could follow as more users of the service are identified.
Copyright © 2025 - The Bit Gazette.
