Europol-led seizure of Tycoon2FA domains
Law Enforcement
Summary
Hide ▲
Show ▼
Europol and partners seized over 300 domains tied to Tycoon2FA, disrupting a phishing-as-a-service operation used for credential theft and MFA bypass. The takedown targeted infrastructure that helped criminals intercept live authentication sessions and access enterprise accounts at scale. The move matters because it removes a large part of the service’s delivery chain and raises the cost of continued abuse.
Related Happenings
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
Caller-as-a-Service scam ecosystem professionalizes underground fraud
Threat Actor Meta
First: 22.04.2026 17:01
Last: 22.04.2026 17:01
Sources 1
About this happening:
The **Caller-as-a-Service** scam ecosystem has become **highly professionalized and segmented**, making fraud easier to scale and harder to disrupt. Distinct operators now handle...
Caller-as-a-Service scam ecosystem professionalizes underground fraud
Threat Actor MetaAbout this happening: The **Caller-as-a-Service** scam ecosystem has become **highly professionalized and segmented**, making fraud easier to scale and harder to disrupt. Distinct operators now handle...
Vercel hit by network compromise
Incident
First: 19.04.2026 20:32
Last: 19.04.2026 20:32
Sources 1
About this happening:
Vercel disclosed unauthorized access to certain internal systems and said a limited subset of customers was affected, while services remained operational during the investigation...
Vercel hit by network compromise
IncidentAbout this happening: Vercel disclosed unauthorized access to certain internal systems and said a limited subset of customers was affected, while services remained operational during the investigation...
Latest development: 21.04.2026 00:01
Vercel disclosed that attackers used a compromised OAuth token tied to a Vercel employee's Google Workspace account and access to Context.ai to reach some Vercel environments and environment variables that were not marked as sensitive, and the company said a limited subset of customers had Vercel credentials compromised and were told to rotate them. Vercel said sensitive environment variables were not known to be accessed and that it was working with Mandiant, other security firms, Context.ai, and law enforcement while keeping services operational; Context separately said it had identified and stopped an AWS breach last month and later learned the actor likely also compromised OAuth tokens for some consumer users.
Operation PowerOff DDoS-for-hire takedown
Law Enforcement
First: 17.04.2026 09:40
Last: 17.04.2026 09:40
Sources 1
About this happening:
Europol and partners in 21 countries carried out Operation PowerOff, disrupting a DDoS-for-hire/booter-service ecosystem. The coordinated action took down 53 domains, seized infra...
Operation PowerOff DDoS-for-hire takedown
Law EnforcementAbout this happening: Europol and partners in 21 countries carried out Operation PowerOff, disrupting a DDoS-for-hire/booter-service ecosystem. The coordinated action took down 53 domains, seized infra...
Latest development: 17.04.2026 14:30
Europol-led Operation PowerOff involved police and cybersecurity agencies from 21 countries and disrupted DDoS-for-hire infrastructure by taking down 53 domains, seizing databases linked to over three million criminal user accounts, removing over 100 advertising URLs, and arresting four people suspected of providing DDoS-for-hire services.
Timeline
-
04.03.2026 18:00 2 articles · 2mo ago
Europol-led takedown seizes Tycoon2FA domains
Legal Policy Action UpdateMicrosoft, Europol, and industry partners disrupted Tycoon2FA infrastructure and seized over 300 linked domains, cutting delivery channels used to intercept live authentication sessions, capture credentials, one-time passcodes, and active session cookies for MFA bypass and enterprise account access.
Show sources
- Global Takedown Neutralizes Tycoon2FA Phishing Service — www.infosecurity-magazine.com — 04.03.2026 18:00
- Global Takedown Neutralizes Tycoon2FA Phishing Service — www.infosecurity-magazine.com — 04.03.2026 18:00
-
04.03.2026 18:00 1 articles · 2mo ago
TrendAI details Tycoon2FA scale and suspected operators
Attribution UpdateTrendAI described Tycoon2FA as a subscription-based phishing-as-a-service platform that had around 2,000 users and used more than 24,000 domains since its launch in August 2023, and investigators assessed the primary operator as the online identities "SaaadFridi" and "Mr_Xaad".
Show sources
- Global Takedown Neutralizes Tycoon2FA Phishing Service — www.infosecurity-magazine.com — 04.03.2026 18:00