Europol-coordinated Tycoon2FA takedown
Law Enforcement
Summary
Hide ▲
Show ▼
Europol coordinated a law-enforcement operation that seized 330 domains tied to Tycoon2FA, disrupting a phishing-as-a-service platform used for credential theft and MFA bypass. Law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom carried out the infrastructure seizures with technical disruption support from Microsoft and other partners. The takedown matters because Tycoon2FA had been used to compromise accounts at nearly 100,000 organizations worldwide and to generate tens of millions of phishing messages each month. CrowdStrike later reported that the platform returned to pre-disruption activity levels within days, with campaign volume briefly falling to 25% of prior levels on March 4 and March 5, 2026 before rebounding.
Related Happenings
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
QR code phishing surged across email threats in Q1 2026
Target Trend
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
Target TrendAbout this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
Timeline
-
23.03.2026 23:52 1 articles · 2mo ago
Tycoon2FA campaign activity rebounds after Europol takedown
Campaign Scope UpdateCrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.
Show sources
- Tycoon2FA phishing platform returns after recent police disruption — www.bleepingcomputer.com — 23.03.2026 23:52
-
04.03.2026 19:01 2 articles · 2mo ago
Europol disrupts Tycoon2FA phishing service
Initial DisclosureEuropol coordinated an international law-enforcement operation on 2026-03-04 that disrupted Tycoon2FA, seized 330 domains tied to its backbone infrastructure, and took control panels and phishing pages offline with support from Microsoft, Trend Micro, Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, and SpyCloud. The platform had been active since at least August 2023, used adversary-in-the-middle reverse proxy techniques to steal credentials and session cookies, impersonated Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail sign-in pages, and was used to bypass MFA and compromise nearly 100,000 organizations worldwide.
Show sources
- Europol-coordinated action disrupts Tycoon2FA phishing platform — www.bleepingcomputer.com — 04.03.2026 19:01
- Europol-coordinated action disrupts Tycoon2FA phishing platform — www.bleepingcomputer.com — 04.03.2026 19:01