Coinbase, Microsoft, Europol, and others jointly shut down Tycoon 2FA phishing site

Coinbase announced Wednesday it was part of a coordinated effort to take down phishing-as-a-service giant Tycoon 2FA. The action was led by Microsoft, Europol, and ten other partners.

Tycoon was responsible for tens of millions of fraudulent emails reaching over 500,000 organizations each month across the world, according to the report. 

As a phishing-as-a-service, Tycoon enabled thousands of threat actors to steal credentials at scale and bypass multi-factor authentication by capturing session cookies/tokens. Having such access meant that attackers could exploit users’ accounts without triggering authentication prompts.

Campaigns from Tycoon primarily targeted email and online service accounts, especially from Microsoft 365, Outlook, and Gmail.

Microsoft, Coinbase, and others take down Tycoon 2FA

The site had up to 2,000 users and operated more than 24,000 domains since its launch in August 2023. 

Microsoft said it seized 330 active domains powering the site and its control panels, under a court order from the U.S. District Court for the Southern District of New York. Together, they also identified the primary developer to be Saad Fridi, based in Pakistan. 

Coinbase said it helped trace the crypto payments that funded Tycoon’s operation and supported the civil action to seize the domains. The exchange said efforts are still ongoing with law enforcement to pursue the people who bought and used the Tycoon phishing service.

“This was not a single phishing campaign. It was an industrialized service built to make MFA bypass accessible to thousands of criminals,” said Robert McArdle, Director for Cybercrime Research at TrendAITM, one of the partners. 

Crypto losses to phishing attack hit $83 million

Earlier in January, Chainalysis reported that crypto scams are becoming increasingly industrialized with the rise of phishing-as-a-service and other tools. 

Some of the phishing kits are bought for under $500, but at scale, they can lead to millions of dollars in losses.

“This modular, service-based approach is a force multiplier and allows even technically unsophisticated criminals to execute sophisticated phishing campaigns, substantially lowering the barrier to entry for cryptocurrency fraud,” Chainalysis wrote.

Up to 106,106 victims lost their cryptocurrency to phishing attacks last year, though the figure was a lot lower than the year before. According to Scam Sniffer, crypto users lost $83.85 million, marking an 83% decline from the compared to $494 million recorded in 2024.

Scam Sniffer found that phishing losses correlate with market activities. More losses were recorded in Q3, totaling $31 million, when ETH saw its strongest rally for the year, Cryptopolitan reported.

The smartest crypto minds already read our newsletter. Want in? Join them.