Recently, Coinbase and Microsoft announced the dismantling of Tycoon 2FA, a phishing-as-a-service platform that facilitated large-scale credential theft by bypassing multi-factor authentication (MFA).
This disruption involved legal actions, takedown of infrastructure, and cryptocurrency tracing efforts, carried out in collaboration with Europol and other industry partners.
Operated as a subscription service, Tycoon 2FA supplied users with deceptive login pages that mimicked legitimate platforms, including Microsoft 365. The platform combined the functions of capturing user credentials—such as usernames, passwords, and authentication codes—and stealing session tokens. These digital credentials enabled attackers to gain access without triggering MFA alerts.
Execution of Disruption
Coinbase’s Global Intelligence team tracked the cryptocurrency payments supporting Tycoon 2FA’s activities. Blockchain transaction data helped connect operators with their buyers and related infrastructure.
Coinbase attributed Tycoon 2FA to Saad Fridi, suspected to be based in Pakistan. Microsoft initiated legal proceedings, obtaining a court order to seize domains hosting the platform’s control panels and phishing pages. These domains now display notices acknowledging the involvement of investigative partners like Coinbase.
Coinbase stated it is working to identify individuals who purchased or used the service, promising ongoing support for law enforcement in pursuing both the operator and its customers.
Industry Impact
The Tycoon 2FA case highlights how modern phishing infrastructure has become industrialized, offering tools as commercial services accessible to a wide array of threat actors. The use of cryptocurrency to fund these platforms has created traceable financial links that aided the broader investigation.
Coinbase and Microsoft both confirmed their commitment to continuing collaborations with law enforcement and industry partners to identify operators and escalate the operational costs associated with running phishing-as-a-service operations.
