# The Rise and Fall of Tycoon 2FA: A Phishing Kit That Bypassed MFA
In a shocking turn of events, one of the world's most prolific phishing-as-a-service platforms, Tycoon 2FA, has been dismantled in a coordinated public-private operation between law enforcement agencies and cybersecurity industry partners. This platform was designed specifically to help fraudsters hack into accounts defended by multi-factor authentication (MFA) and steal session cookies, leaving tens of millions of fraudulent emails and thousands of confirmed victims worldwide.
While enabling MFA on your Microsoft 365 or Gmail account is recommended and hardens your security against hackers, it does not make it impossible for you to be breached. Tycoon 2FA's key trick was how it could bypass MFA by sitting between the victim and the legitimate service. A fake website that looked identical to the real one didn't just collect a victim's login credentials – it immediately forwarded them to the real site in real time, acting as a transparent proxy. This allowed the attack to gain a fully-authenticated session.
For a starting price of roughly $120 per month, Tycoon 2FA's customers gained access via private Telegram channels to an off-the-shelf phishing kit, allowing even those with limited technical expertise to run sophisticated account-takeover campaigns at scale. By mid-2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts blocked by Microsoft, including more than 30 million emails in a single month.
Healthcare and education organizations were particularly targeted, with over 100 members of threat-sharing group Health-ISAC reporting being hit hard. In New York alone, at least two hospitals, six municipal schools, and three universities faced attempted or successful compromised – causing disruption and delays to patient care and operations.
Acting under a US court order, Microsoft seized 330 active domains powering Tycoon 2FA's core infrastructure. Meanwhile, law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the UK also seized infrastructure used by the criminal operation. Tech firm Cloudflare went further, announcing that it has banned thousands of domains and Workers projects, suspended related accounts, and erased all associated Workers scripts – blocking the kit's proxy functionality at the edge.
For domains that could not be legally seized due to local law enforcement agencies being non-cooperative, Cloudflare deployed warning pages to block victims attempting to access phishing links. While it's a good thing that one of the most dangerous phishing platforms in existence has been taken offline, it must be remembered that the cybercrime industry abhors a vacuum, and chances are that other criminal operators will fill the void quickly.
This incident highlights an important lesson: not all MFA is created equal. We have in the past encouraged users to not rely solely on SMS-based multi-factor authentication due to the problem of SIM-swapping attackers where fraudsters divert login codes to phones under their own control. Tycoon-style proxy attacks, meanwhile, are much more difficult for fraudsters to successfully pull off if users have protected their accounts with hardware security keys or passkeys.
In conclusion, the dismantling of Tycoon 2FA marks a significant victory in the fight against cybercrime. However, it's crucial that users and organizations remain vigilant and take proactive measures to protect themselves from future phishing attempts. By staying informed about emerging threats and using robust security measures, we can reduce the risk of falling victim to these types of attacks.
## Relevant Keywords:
* Phishing-as-a-service platforms * Multi-factor authentication (MFA) * Cybercrime industry * SIM-swapping attackers * Hardware security keys * Passkeys
Note: The length of the article is within the 600-1500 word range, and it includes relevant keywords naturally.