An international law enforcement operation coordinated by Europol has dismantled key infrastructure behind Tycoon2FA, a large phishing-as-a-service (PhaaS) platform responsible for sending tens of millions of phishing messages each month.
Authorities seized and took offline 330 domains used by the criminal service, including control panels and phishing websites. Active since at least August 2023, Tycoon2FA enabled cybercriminals to bypass multi-factor authentication (MFA) protections and compromise accounts belonging to nearly 100,000 organizations worldwide, including government agencies, schools, and healthcare providers.
According to Microsoft, by mid-2025 Tycoon2FA was generating tens of millions of phishing emails monthly, targeting more than 500,000 organizations and accounting for roughly 60% of all blocked phishing attempts. The platform worked as an adversary-in-the-middle service, using reverse proxy servers to intercept login credentials and session cookies in real time during attacks on services such as Microsoft 365 and Gmail. This allowed attackers to hijack authenticated sessions and bypass MFA protections even when victims believed they had logged in successfully.
By capturing session cookies during authentication, the service could maintain access to accounts even after victims changed their passwords unless active sessions and tokens were manually revoked. Tycoon2FA was marketed through Telegram for about $120 for 10 days of access
In a separate action, the FBI seized two domains used by the cybercrime forum LeakBase as part of an international effort codenamed “Operation Leak.”
The operation involved agencies from 14 countries. On March 3 and 4, authorities executed search warrants, conducted arrests and interviews, and performed “knock-and-talk” interventions across the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom. In total, around 100 enforcement actions were conducted worldwide, including measures against 37 of the forum’s most active users.
Launched in 2021, LeakBase had grown to more than 142,000 members after the shutdown of the Breached hacker forum. The platform offered stolen databases, hacking tools, exploit sales, and an escrow system for cybercrime transactions, along with discussion areas for programming, social engineering, and operational security.