Tycoon2FA operators have resumed large-scale cloud account phishing just days after law enforcement and industry partners disrupted the platform’s core infrastructure, underscoring the resilience of phishing-as-a-service (PhaaS) ecosystems and the limits of infrastructure-only takedowns.
Authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the UK worked with private-sector partners to seize 330 domains used to power Tycoon2FA control panels and phishing pages.
The platform had been active since 2023 and, by mid-2025, was responsible for roughly 62% of all phishing attempts blocked by Microsoft, generating tens of millions of malicious emails in a single month.
On March 4, 2026, Europol announced a coordinated technical disruption against Tycoon2FA, a subscription-based PhaaS platform used to bypass multifactor authentication (MFA) and compromise cloud email accounts at scale.
Tycoon2FA used adversary-in-the-middle (AiTM) techniques to intercept live authentication sessions, capturing credentials and MFA tokens for Microsoft 365 and Google accounts.
Sold on a subscription basis, it dramatically lowered the barrier to entry for less skilled criminals, enabling them to run business email compromise (BEC) and cloud account takeover campaigns against thousands of organizations worldwide.
Rapid Resurgence of Campaigns
CrowdStrike’s Falcon Complete and Counter Adversary Operations teams observed an immediate but short-lived dip in Tycoon2FA activity following the March 4 takedown, with daily campaign volume on March 4–5 dropping to about a quarter of pre-disruption levels.
Within days, however, the volume of cloud compromises remediated by Falcon Complete had returned to early-2026 baselines, with no material change in the service’s tactics, techniques, and procedures (TTPs).
CrowdStrike reported at least 30 suspected Tycoon2FA-enabled phishing incidents between March 4 and March 6 alone, involving multiple decoy and credential-harvesting pages.
Observed TTPs remain consistent with prior activity: phishing emails funnel victims to Tycoon2FA CAPTCHA pages, steal session cookies after validation, extract email addresses via JavaScript, and populate fake Microsoft 365 or Google login portals hosted on attacker-controlled domains.
Stolen credentials and cookies are proxied to legitimate cloud providers, and Tycoon2FA then automatically authenticates into victims’ Microsoft Entra ID environments using infrastructure linked to Romanian ISP M247 Europe SRL over IPv6.
Post-disruption campaigns show that Tycoon2FA customers continue to blend attacker-registered domains, compromised legitimate sites, and abused cloud services to host and redirect to phish kits.
Recent activity includes domains such as 811inboard[.]aeroprimelink[.]za[.]com, awssecrets[.]saidiosea[.]dev, and twig[.]lifeworkinc[.]com, alongside compromised business domains like traelyst[.]dk used as redirect infrastructure.
Some of these phishing domains have been active since 2025, indicating that parts of the Tycoon2FA ecosystem escaped the 2026 seizure operation.
Tycoon2FA operators and their customers are also abusing URL shorteners, links embedded in legitimate presentation platforms, and compromised SharePoint sites that host XLSX or PDF files with embedded redirect URLs.
CrowdStrike has observed AI-generated decoy webpages served when victims fail geofencing checks, and at least one campaign attempting to leverage Cloudflare r2[.]dev and workers[.]dev infrastructure associated with the Salty2FA phish kit; those attempts were blocked by Cloudflare’s suspected phishing interstitials, suggesting ongoing post-takedown industry countermeasures.
Operational Resilience
Telemetry from Falcon Complete shows that Tycoon2FA recovered within the same day of Europol’s announcement, with operators quickly procuring new IPv6 addresses while continuing to use at least one address tied to pre-disruption activity.
CrowdStrike notes continued domain registration for credential harvesting, active session cookie theft, and AI-generated decoy pages at pre-disruption pace, as well as persistent post-compromise behaviors such as creation of hidden inbox rules and folders to conceal BEC traffic.
Despite the rapid resurgence, the March 4 operation is expected to have a positive, if temporary, impact on the eCrime landscape by imposing costs on Tycoon2FA customers and damaging the service’s reputation within the crimeware market.
However, without arrests or seizure of physical assets, PhaaS operators can often rebuild or relocate infrastructure, especially when operating from jurisdictions with limited enforcement reach.
For defenders, the Tycoon2FA case reinforces the need for continuous visibility across identity, email, and cloud layers, real-time correlation of phishing and authentication signals, and rapid response capabilities to disrupt BEC and cloud account takeover before attackers can monetize access.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
