Coinbase and Microsoft have announced the disruption of Tycoon 2FA, a phishing-as-a-service platform that enabled threat actors to conduct large-scale credential theft and bypass multi-factor authentication (MFA).
The action involved legal proceedings, infrastructure takedowns, and cryptocurrency payment tracing, and was conducted in coordination with Europol and other industry partners.
Tycoon 2FA operated as a subscription-based criminal service, providing users with cloned login pages designed to mimic trusted platforms, including Microsoft 365. The platform combined two capabilities, including capturing usernames, passwords, and authentication codes at scale through convincing phishing pages, and stealing session tokens, the digital credentials that confirm a user has already authenticated, allowing attackers to access accounts without triggering MFA prompts. This combination made the platform a reliable entry point for account takeovers, business email compromise, invoice fraud, and follow-on social engineering attacks.
How the disruption was carried out
Coinbase's Global Intelligence team traced the cryptocurrency payment infrastructure used to fund Tycoon 2FA's operations. Phishing-as-a-service platforms typically function as commercial services with subscriptions, resellers, and recurring revenue, and blockchain transaction data provides investigative signals connecting operators, buyers, and related infrastructure.
Coinbase's analysis also supported attribution of the platform's administration to Saad Fridi, believed to be based in Pakistan. Microsoft filed a civil action and, pursuant to a court order, seized domains that hosted Tycoon 2FA's control panels and phishing pages. Those domains now display a court-authorised notice acknowledging the partners involved in the investigation, including Coinbase.
Coinbase has stated it is actively working to identify individuals who purchased and used the service, and will continue supporting law enforcement efforts targeting both the operator and its customer base.
Industry implications
The Tycoon 2FA case illustrates the industrialised nature of modern phishing infrastructure, in which criminal tools are offered as commercial services accessible to a broad range of threat actors. The use of cryptocurrency payment rails to fund such platforms has created a traceable financial layer that, in this instance, supported the broader investigation. Both Coinbase and Microsoft have indicated they will continue working with law enforcement and industry peers to identify operators and increase the operational cost of running phishing-as-a-service infrastructure.
