A large phishing-as-a-service platform responsible for targeting hundreds of thousands of accounts around the world — including accounts linked to hospitals and schools — has been dismantled by international law enforcement agencies, Europol said on Wednesday.
Known as Tycoon 2FA, the platform supplied criminals with a pre-built toolkit designed to capture login credentials and bypass multi-factor authentication, allowing them to compromise accounts despite additional security protections.
Law enforcement agencies dismantled the operation by seizing 330 domains linked to the platform’s phishing sites and supporting infrastructure. Since becoming active in 2023, Tycoon 2FA had been sending tens of millions of phishing emails monthly and targeting over 500,000 organisations across the globe.
Organisations in the healthcare and education sectors were among those hit the hardest.
According to Microsoft, over 100 members of Health-ISAC — a cybersecurity information-sharing group for the health industry — fell victim to successful phishing attacks. In New York, at least two hospitals, six public schools, and three universities recorded attempted or confirmed compromises associated with Tycoon 2FA.
“These incidents had tangible consequences,” Microsoft stated, with compromised accounts leading to operational disruptions and delays in patient care.
In contrast to conventional phishing kits that merely steal passwords, Tycoon 2FA was specifically engineered to overcome strong security protections. It intercepted authentication sessions in real time, allowing attackers to capture login credentials along with one-time verification codes and gain access without triggering warnings.
By packaging sophisticated phishing tools into a subscription model, the platform made it easier for criminals to launch attacks. At its height, Tycoon 2FA accounted for around 62% of the phishing attempts that Microsoft managed to block.
Investigators believe the platform’s developer operates from Pakistan and worked with partners handling areas such as marketing, payment processing, and customer support. Criminal groups often used Tycoon 2FA alongside other illegal services that facilitated bulk email distribution, malware hosting, and the resale of compromised account access to launch high-volume cyberattacks.
