A coalition including Coinbase, Microsoft and Europol has dismantled key infrastructure behind Tycoon 2FA, a phishing-as-a-service platform that enabled cybercriminals to bypass multi-factor authentication.
Europol said Microsoft blocked 330 domains linked to the operation while law enforcement agencies seized additional infrastructure used to support the phishing network.
“Taking Tycoon’s core infrastructure offline cuts off a major pipeline for credential theft and initial access, and forces criminals to rebuild, retool, and take on more risk,”
Coinbase said.
Coinbase also assisted the investigation by tracing blockchain transactions used to fund Tycoon 2FA, helping authorities identify the platform’s alleged administrator and users.
The service provided phishing toolkits with spoofed login pages and session-token theft capabilities that allowed attackers to bypass authentication systems and access user accounts.
Microsoft said Tycoon had been active since at least 2023 and accounted for 62% of phishing attempts the company blocked by mid-2025, including more than 30 million malicious emails in a single month.
Security firms estimate phishing scams cost crypto investors $722 million across 248 incidents in 2025, highlighting the ongoing threat such platforms pose to digital asset users.