A major phishing-as-a-service platform used in tens of thousands of credential theft attacks has been taken offline in an international law enforcement operation. The action against the Tycoon 2FA toolkit was announced by Europol, which coordinated the effort involving agencies from several countries and private cybersecurity firms.

The operation successfully disrupted the infrastructure of the Tycoon 2FA service. This platform provided a subscription-based toolkit that enabled cybercriminals to launch sophisticated phishing campaigns. The service was particularly notable for its ability to bypass two-factor authentication, a common security measure.

Scale and Sophistication of the Threat

According to Europol, the Tycoon 2FA platform was linked to at least 64,000 phishing attacks worldwide. It first emerged in August 2023 and grew to become one of the largest known phishing-as-a-service offerings. The toolkit automated the creation of phishing pages designed to steal login credentials and session cookies.

The service specialized in adversary-in-the-middle attacks. This technique intercepts communication between a user and a legitimate website in real time. When a victim entered their credentials and 2FA code on a fake page, the kit would instantly relay that information to the genuine site, capturing the resulting authenticated session cookie. This allowed criminals to bypass 2FA entirely and gain full access to the victim’s account.

International Collaboration Key to Success

The takedown was the result of a coalition effort led by Europol’s European cybercrime Centre. It involved law enforcement from the United Kingdom, the Netherlands, and other nations. Private sector partners, including Group-IB and Sekoia.io, provided critical intelligence and technical analysis that identified the service’s operators and infrastructure.

Investigators traced the development and maintenance of the Tycoon 2FA kit to a single individual. The service was offered on cybercrime forums, with subscriptions sold for prices ranging from a few hundred to a few thousand dollars. Its user-friendly interface lowered the technical barrier for entry, enabling less skilled criminals to conduct high-level attacks.

Impact and Ongoing Investigation

The dismantling of the service is expected to significantly disrupt a wide range of cybercriminal activities. These include business email compromise, corporate network intrusion, and financial fraud. By removing this tool from circulation, authorities have disrupted a key part of the cybercrime supply chain.

Europol has not yet announced any arrests directly linked to the platform’s operation. The focus of the recent action was on seizing the digital infrastructure, including domain names and servers. Analysis of the seized data is ongoing and may lead to further operational activities against the kit’s users and developers.

Law enforcement agencies continue to investigate the full scope of the criminal enterprise. Future actions may target the individuals who subscribed to and used the Tycoon 2FA service to conduct attacks. Authorities also urge organizations and individuals to remain vigilant against phishing attempts, as other similar services remain active.

Source: Europol