On March 4, 2026, Europol and international law enforcement partners announced the disruption of Tycoon2FA, a prominent Phishing-as-a-service (PhaaS) platform that enabled cybercriminals to bypass multi-factor authentication (MFA). The operation involved the seizure of 330 domains used to facilitate adversary-in-the-middle (AiTM) attacks. While the takedown initially resulted in a 75% drop in activity, monitoring by CrowdStrike revealed that campaign volumes returned to pre-disruption levels within days, demonstrating the extreme resilience of the platform's operators.
Tycoon2FA remains a significant threat, utilizing sophisticated tactics such as CAPTCHA-based session cookie theft and obfuscated JavaScript to proxy credentials to legitimate cloud environments. Post-disruption activity includes business email compromise (BEC), email thread hijacking, and the abuse of legitimate hosting services like Cloudflare to host phishing kits. This resurgence emphasizes the limitations of infrastructure takedowns and the necessity for organizations to employ real-time detection and response capabilities across their cloud attack surfaces.
Top comments (0)