Investigators claimed today to have taken out another key player in the global cybercrime supply chain after seizing infrastructure linked to phishing-as-a-service (PhaaS) operation Tycoon 2FA.

The effort was led by Microsoft and Europol and supported by a range of industry partners, including TrendAI, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, The Shadowserver Foundation, and SpyCloud.

Over 300 domains linked to Tycoon2FA were seized in the operation, according to TrendAI.

Tycoon2FA offered subscription-based PhaaS that used adversary-in-the-middle techniques to intercept live authentication sessions, and capture credentials, one-time passcodes and active session cookies in real time.

This enabled threat actors using it to bypass multi-factor authentication (MFA) and access countless enterprise accounts in large-scale attacks on corporate inboxes.

Tycoon2FA had around 2000 users and used more than 24,000 domains since its launch in August 2023.

Read more on PhaaS takedowns: UK Police Lead Disruption of £1m Phishing-as-a-Service Site LabHost.

“This was not a single phishing campaign. It was an industrialized service built to make MFA bypass accessible to thousands of criminals,” said Robert McArdle, director for cybercrime research at TrendAI.

“Identity is now the primary attack surface. When session hijacking can be packaged and sold as a subscription, the risk shifts from isolated incidents to systemic exposure.”

More Work Still to Do

TrendAI and other industry partners passed on crucial threat intelligence to law enforcement regarding Tycoon2FA infrastructure and campaigns. They assessed the primary operator to be a threat actor using the online identities “SaaadFridi” and “Mr_Xaad.”

However, with the perpetrator and many more like him still at large, security experts urged network defenders to build resilience against PhaaS.

TrendAI recommended that organizations: