Tycoon 2FA, a subscription phishing-as-a-service toolkit that enabled adversary-in-the-middle credential harvesting, was dismantled in early March 2026 by a coalition of law enforcement agencies and security companies, and generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organisations globally, Europol press release said.
KEY FACTS
- Incident Tycoon 2FA taken down in a coordinated public private action
- Scale Generated tens of millions of phishing emails monthly and impacted nearly 100,000 organisations
- Infrastructure 330 domains associated with the service were removed
- Business model Subscription access sold on messaging apps with tiered pricing
- Operator Primary developer alleged to be Saad Fridi
The toolkit provided a web administration panel for configuring campaigns, tracking victims and downloading harvested data. Panels included templates, redirect logic, attachment delivery options and real-time forwarding of credentials and session tokens to messaging channels.
Technically the kit operated as an adversary-in-the-middle proxy that intercepted credentials, multi-factor codes and session cookies during sign-in. The captured session tokens could allow persistent access after password resets unless sessions were revoked.
Operators used rapid turnover of fully qualified domain names, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs and keystroke monitoring to evade detection. The short lifespan of many domains complicated blocking and takedown efforts.
The service ran on a subscription model sold via messaging apps. Campaigns targeted a broad range of sectors including education, healthcare, finance, non-profit and government, with industry data showing widespread enterprise targeting.
WHY IT MATTERS
The disruption removes a widely abused platform that scaled account takeover and identity theft risk for organisations worldwide. Organisations should review active sessions, revoke suspicious tokens and reinforce phishing defenses to limit reuse of harvested credentials.