Coinbase, Microsoft Dismantle 'Tycoon 2FA' Phishing Platform

Coalition Seizes 330 Domains from Major Phishing Service

An international coalition of technology companies and law enforcement agencies, including Coinbase, Microsoft, and Europol, has dismantled the core infrastructure of Tycoon 2FA. The Phishing-as-a-Service (PhaaS) platform provided criminals with a toolkit to bypass multi-factor authentication (MFA). The coordinated operation resulted in the seizure of key infrastructure and the blocking of 330 domains linked to the service, effectively shutting down a major pipeline for credential theft.

Tycoon 2FA's toolkit provided high-fidelity spoofs of legitimate landing pages to steal user credentials. Crucially, it also captured session cookies and tokens, a method that allows attackers to hijack an authenticated session and bypass MFA protections entirely. This technique lowered the technical barrier for cybercriminals, enabling them to execute sophisticated account takeovers, business email compromises, and invoice fraud.

Tycoon 2FA Reached 96,000 Victims Since 2023

The platform's scale was significant, highlighting the persistent threat of phishing that cost crypto investors $722 million in 2025. Active since at least 2023, Tycoon 2FA was used to target an estimated 96,000 distinct victims worldwide, including over 55,000 Microsoft customers. At its peak in mid-2025, the service accounted for 62% of all phishing attempts that Microsoft blocked, which included over 30 million malicious emails in a single month.

The service's effectiveness allowed criminals to attack a wide range of industries, from healthcare to education. The consequences included rerouted invoices, theft of sensitive data, and disruptions to critical services like patient care, making its dismantlement a critical win for cybersecurity efforts globally.

Coinbase Blockchain Analysis Helps Unmask Operator

Coinbase played a key role in the investigation by applying its blockchain analytics capabilities to the case. The exchange's security team traced cryptocurrency transactions used to fund the Tycoon 2FA platform. This financial intelligence was crucial for law enforcement, as it helped identify both the buyers of the illicit service and the platform's alleged main developer, Saad Fridi, who is based in Pakistan. This action underscores the growing role of crypto-native firms in combating global cybercrime and enhancing security across the digital economy.