Coinbase, Microsoft and Europol take down major phishing platform 'Tycoon 2FA'

Coinbase, Microsoft, Europol and other technology companies and law-enforcement agencies have worked together to disrupt the core infrastructure of the large-scale phishing platform 'Tycoon 2FA (Tycoon 2FA)'.

According to Cointelegraph on the 5th (local time), Europol said it worked with Microsoft to block 330 domains linked to Tycoon 2FA and seize related infrastructure.

Tycoon 2FA is a 'phishing-as-a-service' platform that provides tools capable of bypassing multi-factor authentication (MFA). It has been used by attackers to create login pages resembling legitimate websites to steal users' account credentials.

Coinbase supported the investigation by helping trace blockchain transactions. It reportedly analyzed the flow of virtual-asset (coin) transactions used to operate Tycoon 2FA, assisting in identifying the platform's administrators and users.

Coinbase said that disrupting Tycoon's core infrastructure can cut off key channels for credential theft and initial access attacks, adding that criminal groups would have to incur greater costs and take on more risk to rebuild their infrastructure.

Steven Masada, deputy general counsel at Microsoft's Digital Crimes Unit, said Tycoon 2FA is a major phishing platform that has been active since at least 2023, adding that as of mid-2025, 62% of the phishing attacks Microsoft blocked were linked to the platform.

He added that more than 30 million phishing emails were sometimes distributed in a single month, describing Tycoon 2FA as one of the world's largest phishing operations.