Europol Shuts Down Tycoon 2FA Phishing Platform with Help from Microsoft and Coinbase

Europol has dismantled Tycoon 2FA, one of the largest phishing-as-a-service platforms, in a joint operation supported by Microsoft, Coinbase, and several other technology companies. The platform was a major distributor of tools designed to steal user credentials and bypass two-factor authentication.

A Massive Threat: 62% of Blocked Phishing Attacks

Tycoon 2FA had been operating since at least August 2023, offering cybercriminals ready-made tools for conducting phishing campaigns. The service enabled the creation of convincing clones of legitimate websites and could intercept 2FA passwords by accessing victims' cookie files.

According to law enforcement data, Tycoon was responsible for approximately 62% of all phishing attacks blocked by Microsoft. This made it one of the most significant nodes in the global cybercrime infrastructure.

Why This Matters

The takedown of Tycoon 2FA highlights the growing effectiveness of public-private partnerships in combating cybercrime. Phishing-as-a-service platforms pose a systemic threat by dramatically lowering the barrier to entry for attackers. Eliminating the largest player in this market could meaningfully reduce the volume of phishing attacks targeting users worldwide.

Coinbase's involvement in the investigation also underscores how blockchain transparency is becoming a powerful tool for law enforcement — on-chain transactions leave trails that can be used to map criminal networks.

How Coinbase and Microsoft Contributed

As part of their collaboration with Europol, the tech firms provided technical expertise and infrastructure analysis. Coinbase published a separate press release detailing its role in the operation.

The crypto exchange traced payment channels that funded Tycoon's operations. According to the company, phishing platforms like Tycoon operate much like illegal SaaS businesses — complete with subscriptions, resellers, customer support, and recurring revenue. A portion of these payments flowed through cryptocurrency, and blockchain transactions created investigative leads that helped link operators, buyers, and related infrastructure.

Coinbase also helped identify the suspected administrator of Tycoon — a Pakistani national named Saad Fridi.

Microsoft filed a civil lawsuit that resulted in the seizure of Tycoon's key domains, effectively cutting off the platform's operational infrastructure.

Next Steps and Broader Context

Coinbase representatives stated they will continue working to hold Tycoon's customers accountable. The company emphasized that when criminals can no longer collect payments and maintain their infrastructure, their "business model" collapses.

The shutdown of Tycoon 2FA aligns with a broader decline in phishing-related losses. According to SlowMist data, the total amount stolen through phishing attacks in 2025 dropped by 83% to $83.85 million.