CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Tycoon2FA Phishing-as-a-Service Takedown

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that bypassed MFA using adversary-in-the-middle techniques, resumed operations at pre-disruption levels within days of a March 4, 2026 global takedown, despite initial reductions in campaign volumes. The platform, active since August 2023, offered subscription-based access for bypassing multi-factor authentication, targeting major services like Microsoft 365 and Google. It was linked to over 64,000 phishing incidents and facilitated unauthorized access to nearly 100,000 organizations globally by mid-2025. The primary operator, identified as 'SaaadFridi' and 'Mr_Xaad,' remains at large. The platform’s infrastructure relied on adversary-in-the-middle techniques, AI-generated decoy pages, and short-lived domains to evade detection, while customers employed tactics like ATO Jumping to distribute phishing URLs. The takedown involved Europol’s EC3 and law enforcement from six European countries. Following the disruption, Tycoon2FA rapidly recovered to pre-disruption operational levels, with daily campaign volumes returning to early 2026 levels by March 6. Post-compromise activities included business email compromise (BEC), email thread hijacking, cloud account takeovers, and malicious SharePoint links. Old infrastructure remained active after the disruption, while new phishing domains and IP addresses were registered quickly. Operators continued using unchanged TTPs, including compromised domains, legitimate cloud services, and IPv6-based automated logins, underscoring the resilience of the PhaaS model without arrests or physical seizures.

Timeline

  1. 04.03.2026 18:00 5 articles · 20d ago

    Global Takedown of Tycoon2FA Phishing-as-a-Service

    A global operation led by Microsoft and Europol, supported by multiple industry partners, seized infrastructure linked to the Tycoon2FA phishing-as-a-service (PhaaS) operation. Over 330 domains were seized, and the primary operator, identified as using the online identities 'SaaadFridi' and 'Mr_Xaad,' remains at large. The operation was coordinated by Europol and involved law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom. The investigation began after intelligence was shared by Trend Micro. Tycoon2FA was linked to over 64,000 phishing incidents and facilitated unauthorized access to nearly 100,000 organizations globally. Following the takedown, Tycoon2FA rapidly recovered to pre-disruption operational levels within days. Initial disruption reduced daily campaigns to 25% of pre-disruption levels, but operators quickly restored operations using compromised domains, legitimate cloud services, IPv6-based automated logins, and AI-generated decoy pages. CrowdStrike observed at least 30 suspected Tycoon2FA-enabled phishing incidents between March 4 and March 6. The platform resumed activity with largely unchanged tactics, techniques, and procedures (TTPs), supporting a diverse set of illegal activities, including business email compromise (BEC), email thread hijacking, cloud account takeovers, and malicious SharePoint links. Post-compromise activities observed include the creation of inbox rules, hidden folders for fraud emails, and preparation for BEC operations. Old infrastructure remained active after the disruption, while new phishing domains and IP addresses were registered quickly following the law enforcement operation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Darktrace Detects 32 Million Phishing Emails in 2025 as Identity Attacks Surge

Darktrace detected over 32 million high-confidence phishing emails in 2025, indicating a significant rise in identity-driven cyber threats. The report highlights the increasing sophistication of phishing tactics, including the use of newly created domains, malicious QR codes, and novel social engineering techniques. Identity compromise has overtaken vulnerability exploitation as the primary entry vector, with attackers leveraging stolen credentials and hijacked tokens to gain access. The report also reveals regional and sector-specific trends, with the Americas accounting for 47% of global security events and manufacturing being a major target for ransomware.

Open in new tab

Starkiller Phishing Kit Bypasses MFA via Proxy-Based Attacks

A new phishing kit called Starkiller has emerged, allowing attackers to bypass multi-factor authentication (MFA) by proxying legitimate login pages. The kit is distributed as a subscription-based service on the dark web, offering real-time session monitoring and keylogging capabilities. It mimics login pages of major services like Google, Microsoft, and banks, routing traffic through attacker-controlled infrastructure to steal credentials and authentication tokens. Starkiller uses Docker containers running headless Chrome instances to serve genuine page content, making it difficult for security vendors to detect or block. The toolkit is sold with updates and customer support, posing a significant escalation in phishing infrastructure. The service is part of a broader cybercrime offering by a threat group called Jinkusu, which provides additional features such as email harvesting and campaign analytics. Starkiller integrates URL shorteners such as TinyURL to obscure the destination URL. It uses a headless Chrome instance inside a Docker container to act as a reverse proxy between the target and the legitimate site. The platform centralizes infrastructure management, phishing page deployment, and session monitoring within a single control panel, combining URL masking, session hijacking, and MFA bypass to streamline phishing operations.

Open in new tab

JokerOTP MFA phishing-as-a-service dismantled, third suspect arrested

The Netherlands Police arrested a 21-year-old man from Dordrecht for selling access to the JokerOTP phishing automation tool, which intercepts one-time passwords (OTPs) to hijack accounts. The arrest is part of a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025. The service caused at least $10 million in financial losses across 28,000 attacks in 13 countries. The seller advertised access via Telegram, allowing cybercriminals to automate calls to victims and capture sensitive data. The tool targeted users of PayPal, Venmo, Coinbase, Amazon, and Apple. The investigation is ongoing, with dozens of buyers identified for prosecution.

Open in new tab

AI-Driven Phishing Attacks Double in Volume Year-Over-Year

Phishing attacks detected in 2025 increased more than double compared to 2024, with one email caught every 19 seconds. AI technology is enabling threat actors to generate, test, and deploy phishing campaigns at scale, resulting in faster, more adaptive, and convincing attacks. The rise includes polymorphic, multi-channel campaigns that continuously change their appearance while maintaining malicious intent. AI is helping threat actors compose emails in near-flawless local languages, contributing to a 18% rise in conversational phishing emails. Other trends include highly personalized campaigns, polymorphism by default, and a surge in the use of remote access tools (RATs). The .es TLD saw a 19-fold increase in use for credential phishing, making it the third-most abused domain. The report also noted a 204% increase in phishing emails delivering malware in 2025 compared to 2024.

Open in new tab

Credential Theft and Account Compromise Surge in 2025

In 2025, cyber threat actors significantly increased their focus on credential theft, leading to a 389% rise in account compromise incidents, which constituted 55% of all attacks observed by eSentire. Credential access represented 75% of malicious activity, with two-thirds aimed at account takeovers and the remaining third used for phishing campaigns. Microsoft 365 accounts were primary targets. The use of phishing-as-a-service (PhaaS) kits, such as Tycoon2FA, FlowerStorm, and EvilProxy, fueled business email compromise (BEC) attacks. These kits are sophisticated, continuously updated, and designed to bypass modern security controls like multifactor authentication (MFA). While BEC attacks declined to less than 10% of malicious activity, they remained a top threat for companies, particularly in real estate, finance, retail, and construction. The report also highlighted a 14-fold increase in security incidents involving email bombing and IT Help Desk impersonation, a 300% spike in the ClickFix lure, and varying trends in cyber incidents across different industries.

Open in new tab