Europol, the European law enforcement agency dedicated to combating organized cybercrime, has recently achieved another significant milestone in its fight against online criminal networks. The agency successfully dismantled the IT infrastructure associated with Tycoon 2FA, a notorious phishing-as-a-service (PaaS) platform that had been operating since 2023. This takedown represents an important step in disrupting large-scale phishing operations that target millions of internet users worldwide.
Working in close coordination with major cybersecurity and technology companies such as Microsoft, Trend Micro, and Cloudflare, Europol managed to shut down more than 300 malicious domains that were being used to host fake login pages. These websites were specifically designed to trick users into revealing sensitive information such as login credentials and authentication codes. By taking control of these domains, authorities significantly reduced the platform’s ability to continue its phishing campaigns.
The operation was conducted under Europol’s Cyber Intelligence Extension Programme (CIEP). Through this initiative, investigators were able not only to seize the servers that powered the phishing infrastructure but also to identify and apprehend individuals believed to be directly involved in operating the cybercrime service. This coordinated effort demonstrates how international cooperation between law enforcement and private technology firms can effectively disrupt complex cybercriminal operations.
According to reports from investigators, the Tycoon 2FA network maintained infrastructure and operational links across several European countries, including Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom. Security researchers have also revealed that the group ran highly organized phishing campaigns on a massive scale. In fact, Microsoft reported that the attackers attempted to compromise more than 30 million email accounts during 2025 alone.
One of the reasons Tycoon 2FA became particularly dangerous was its business model. The group offered phishing tools and services to other cybercriminals for a relatively low fee of around $120. These tools allowed attackers to bypass multi-factor authentication (MFA) systems by intercepting or neutralizing security mechanisms such as SMS verification codes, authenticator app tokens, and push notifications. This capability made the platform extremely attractive to criminals looking to gain unauthorized access to protected accounts.
The scale of the attacks was alarming. Reports suggest that the group launched more than 96,000 phishing attempts targeting various victims around the world, with approximately 55,000 of those attacks specifically aimed at Microsoft customers.
However, cybersecurity experts caution that while such takedowns are important, they are not always a permanent solution. Zainab Fernandez, a freelance data security analyst working with Microsoft, points out that dismantling cybercrime networks is always a positive step. Unfortunately, these groups often regroup quickly, rebuild their infrastructure, and return with even more advanced and aggressive attack strategies.
Despite this challenge, Europol continued efforts against hacking groups and malware distribution networks still play a vital role in global cybersecurity. Each successful operation sends a clear message to cybercriminals that their activities are being closely monitored. It also reinforces the idea that law enforcement agencies are capable of tracking and dismantling even sophisticated online criminal enterprises, making attackers think twice before launching future campaigns.
Join our LinkedIn group Information Security Community!
