The Tycoon2FA phishing-as-a-service (PhaaS) platform that Europol and partners disrupted on March 4 has already returned to previously observed activity levels.
Microsoft led the technical disruption, which involved seizing 330 domains part of Tycoon2FA’s backbone infrastructure that included control panels and phishing pages used in attacks.
However, the disruption caused by the law enforcement was short-lived, as CrowdStrike noticed the cybercrime service return to normal operational volumes within days.
“Falcon Complete observed a short-term decrease in the volume of Tycoon2FA campaign activity following the takedown, with daily volumes on March 4 and March 5, 2026, reducing to 25% of pre-disruption levels,” reads CrowdStrike’s report.
“However, this volume subsequently returned to pre-disruption levels, with daily levels of cloud compromise active remediations returning to early 2026 levels.”
First documented by Sekoia roughly two years ago, Tycoon2FA appeared online as a PhaaS platform dedicated to targeting Microsoft 365 and Gmail accounts, featuring adversary-in-the-middle mechanisms that enable bypassing two-factor authentication (2FA) protections.
A month later, Trustwave reported that Tycoon2FA’s operators were actively improving the platform, adding new, advanced features, and enticing more cybercriminals to purchase access.
Tycoon2FA is a significant actor on the phishing scene, with Microsoft reporting that it generated 30 million phishing emails per month, accounting for 62% of all emails blocked by the tech giant.
According to CrowdStrike, Tycoon2FA is back in business using largely unchanged techniques, tactics, and procedures (TTPs), and supported a diverse set of illegal activities, like business email compromise (BEC), email thread hijacking, cloud account takeovers, and malicious SharePoint links.
After the disruption action, Tycoon2FA has been used in malicious email campaigns that relied on malicious URLs and shortener services, legitimate platforms such as presentation tools, where redirection mechanisms are abused, and also compromised domains.
Source: CrowdStrike
Interestingly, some of the old infrastructure remained active, indicating that the disruption was incomplete, while new phishing domains and IP addresses were registered quickly following the law enforcement operation.
Regarding the observed post-compromise activity, this includes the creation of inbox rules, hidden folders for fraud emails, and preparation for BEC operations.
Ultimately, CrowdStrike comments that, without arrests or physical seizures, it’s easy for cybercriminals to recover and replace the impacted infrastructure. As long as the demand from the phishing ecosystem is high, the motive for PhaaS platform operators remains unchanged.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
