Tycoon 2FA continues to operate despite a law enforcement takedown operation.

The phishing‑as‑a‑service platform Tycoon 2FA continues operating despite international efforts to dismantle it, including the seizure of 330 domains. Widely used to bypass MFA and responsible for 62% of Microsoft‑blocked phishing attempts in 2025, the service resumed full activity shortly after the takedown. CrowdStrike observed that Tycoon 2FA’s tactics—including CAPTCHA‑based phishing pages and session‑cookie theft—remain unchanged. Investigators found that new IP addresses and previously untargeted phishing domains were already being used, suggesting the platform will persist beyond the disruption.

Read more:

https://www.securityweek.com/tycoon-2fa-fully-operational-despite-law-enforcement-takedown/