Find notable cyber news and cases, enriched with sources, timelines, and signals.

Europol-coordinated Tycoon2FA takedown

Law Enforcement
First reported
Last updated
Happening score
H score 76
1 unique sources, 2 articles

Summary

Hide ▲

Europol coordinated a law-enforcement operation that seized 330 domains tied to Tycoon2FA, disrupting a phishing-as-a-service platform used for credential theft and MFA bypass. Law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom carried out the infrastructure seizures with technical disruption support from Microsoft and other partners. The takedown matters because Tycoon2FA had been used to compromise accounts at nearly 100,000 organizations worldwide and to generate tens of millions of phishing messages each month. CrowdStrike later reported that the platform returned to pre-disruption activity levels within days, with campaign volume briefly falling to 25% of prior levels on March 4 and March 5, 2026 before rebounding.

Related Happenings

StealC and Amadey infostealer infrastructure disruption

Malware Activity
H score69 First: 24.06.2026 18:25 Last: 24.06.2026 18:25 Sources 1

About this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...

Operation Endgame takedown of Amadey and StealC infrastructure

Law Enforcement
H score66 First: 24.06.2026 18:02 Last: 24.06.2026 18:02 Sources 1

About this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...

Operation Endgame takedown of SocGholish and Evil Corp infrastructure

Law Enforcement
H score58 First: 18.06.2026 16:25 Last: 18.06.2026 16:25 Sources 1

About this happening: **International law enforcement** disrupted **SocGholish/FakeUpdates** infrastructure in **Operation Endgame** on **June 18**, cleaning **14,971 compromised WordPress websites** a...

DoJ Disruption Week crypto fraud takedown

Law Enforcement
H score46 First: 04.06.2026 09:06 Last: 04.06.2026 09:06 Sources 1

About this happening: Authorities **arrested** seven scammers in Thailand and disrupted a **crypto fraud** network tied to **Disruption Week**, expanding pressure on transnational scam operations targe...

TA4922 expanded European phishing-and-malware campaign

Campaign
H score40 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...

Timeline

  1. 23.03.2026 23:52 1 articles · 3mo ago

    Tycoon2FA campaign activity rebounds after Europol takedown

    Campaign Scope Update

    CrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.

    Show sources
  2. 04.03.2026 19:01 2 articles · 4mo ago

    Europol disrupts Tycoon2FA phishing service

    Initial Disclosure

    Europol coordinated an international law-enforcement operation on 2026-03-04 that disrupted Tycoon2FA, seized 330 domains tied to its backbone infrastructure, and took control panels and phishing pages offline with support from Microsoft, Trend Micro, Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, and SpyCloud. The platform had been active since at least August 2023, used adversary-in-the-middle reverse proxy techniques to steal credentials and session cookies, impersonated Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail sign-in pages, and was used to bypass MFA and compromise nearly 100,000 organizations worldwide.

    Show sources