Investigators have shut down a major phishing-as-a-service platform after tracing its cryptocurrency payments. Authorities working with Microsoft and Coinbase followed the payment trail to the suspected operator of Tycoon 2FA. Now, law enforcement is hunting the cybercriminals who used the service to break into thousands of accounts.

The European Union Agency for Law Enforcement Cooperation (Europol), in cooperation with Microsoft and multiple other organizations, including major crypto exchange Coinbase, took down Tycoon 2FA, which was used to bypass multi-factor authentication (MFA) and enable large-scale account compromise.

As a result, 330 domains forming the core infrastructure of the criminal service, including phishing pages and control panels, were taken down, Europol said.

Meanwhile, Coinbase's Global Intelligence team said they've traced the payment rails that funded Tycoon, which was run like an illicit software business that included subscriptions, resellers, support, and recurring revenue.

"Some of those payments move through cryptocurrency, and blockchain transactions create investigative signals that can help connect operators, buyers, and related infrastructure," the team said, adding that their analysis identified Saad Fridi, believed to be based in Pakistan, as the administrator of the platform.

However, this is not all, as Coinbase analysts are now "actively working" to identify Tycoon users, meaning criminals who bought and used the service to target victims are still being hunted by law enforcement.

According to Europol, Tycoon 2FA was among the largest phishing operations worldwide and had been active since at least August 2023. The investigation showed that, by mid-2025, the platform accounted for roughly 62% of all phishing attempts blocked by Microsoft.

"It enabled thousands of cybercriminals to covertly access email and cloud-based service accounts. At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions," Europol said.

Meanwhile, in a separate international operation, LeakBase, one of the world’s largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools, was dismantled, the US Department of Justice said yesterday.

---

Unlock more exclusive Cybernews content on YouTube.