Europol-coordinated Tycoon2FA takedown
Law Enforcement
Summary
Hide ▲
Show ▼
Europol coordinated a law-enforcement operation that seized 330 domains tied to Tycoon2FA, disrupting a phishing-as-a-service platform used for credential theft and MFA bypass. Law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom carried out the infrastructure seizures with technical disruption support from Microsoft and other partners. The takedown matters because Tycoon2FA had been used to compromise accounts at nearly 100,000 organizations worldwide and to generate tens of millions of phishing messages each month. CrowdStrike later reported that the platform returned to pre-disruption activity levels within days, with campaign volume briefly falling to 25% of prior levels on March 4 and March 5, 2026 before rebounding.
Related Happenings
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
About this happening:
**StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityAbout this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
Operation Endgame takedown of Amadey and StealC infrastructure
Law Enforcement
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Operation Endgame takedown of Amadey and StealC infrastructure
Law EnforcementAbout this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Operation Endgame takedown of SocGholish and Evil Corp infrastructure
Law Enforcement
H score58
First: 18.06.2026 16:25
Last: 18.06.2026 16:25
Sources 1
About this happening:
**International law enforcement** disrupted **SocGholish/FakeUpdates** infrastructure in **Operation Endgame** on **June 18**, cleaning **14,971 compromised WordPress websites** a...
Operation Endgame takedown of SocGholish and Evil Corp infrastructure
Law EnforcementAbout this happening: **International law enforcement** disrupted **SocGholish/FakeUpdates** infrastructure in **Operation Endgame** on **June 18**, cleaning **14,971 compromised WordPress websites** a...
DoJ Disruption Week crypto fraud takedown
Law Enforcement
H score46
First: 04.06.2026 09:06
Last: 04.06.2026 09:06
Sources 1
About this happening:
Authorities **arrested** seven scammers in Thailand and disrupted a **crypto fraud** network tied to **Disruption Week**, expanding pressure on transnational scam operations targe...
DoJ Disruption Week crypto fraud takedown
Law EnforcementAbout this happening: Authorities **arrested** seven scammers in Thailand and disrupted a **crypto fraud** network tied to **Disruption Week**, expanding pressure on transnational scam operations targe...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Timeline
-
23.03.2026 23:52 1 articles · 3mo ago
Tycoon2FA campaign activity rebounds after Europol takedown
Campaign Scope UpdateCrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.
Show sources
- Tycoon2FA phishing platform returns after recent police disruption — www.bleepingcomputer.com — 23.03.2026 23:52
-
04.03.2026 19:01 2 articles · 4mo ago
Europol disrupts Tycoon2FA phishing service
Initial DisclosureEuropol coordinated an international law-enforcement operation on 2026-03-04 that disrupted Tycoon2FA, seized 330 domains tied to its backbone infrastructure, and took control panels and phishing pages offline with support from Microsoft, Trend Micro, Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, and SpyCloud. The platform had been active since at least August 2023, used adversary-in-the-middle reverse proxy techniques to steal credentials and session cookies, impersonated Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail sign-in pages, and was used to bypass MFA and compromise nearly 100,000 organizations worldwide.
Show sources
- Europol-coordinated action disrupts Tycoon2FA phishing platform — www.bleepingcomputer.com — 04.03.2026 19:01
- Europol-coordinated action disrupts Tycoon2FA phishing platform — www.bleepingcomputer.com — 04.03.2026 19:01