Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Tycoon2FA phishing campaign resumes after takedown

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

Tycoon2FA has resumed a broad phishing campaign after a major takedown, and it is again compromising email accounts while bypassing MFA. The operation uses adversary-in-the-middle (AITM) interception to capture live sessions and push victims to decoy and credential-capture pages. CrowdStrike observed at least 30 suspected incidents between March 4 and March 6, showing the service rebounded quickly despite domain seizures.

Related Happenings

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

QR code phishing surged across email threats in Q1 2026

Target Trend
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

Operation PowerOff DDoS-for-hire takedown

Law Enforcement
First: 17.04.2026 09:40 Last: 17.04.2026 09:40 Sources 1

About this happening: Europol and partners in 21 countries carried out Operation PowerOff, disrupting a DDoS-for-hire/booter-service ecosystem. The coordinated action took down 53 domains, seized infra...

Latest development: 17.04.2026 14:30

Europol-led Operation PowerOff involved police and cybersecurity agencies from 21 countries and disrupted DDoS-for-hire infrastructure by taking down 53 domains, seizing databases linked to over three million criminal user accounts, removing over 100 advertising URLs, and arresting four people suspected of providing DDoS-for-hire services.

Open Happening

Timeline

  1. 23.03.2026 18:05 2 articles · 2mo ago

    Tycoon2FA resumes phishing activity after Europol takedown

    Campaign Scope Update

    Tycoon2FA resumed phishing activity after a Europol-coordinated takedown that seized 330 domains across six countries, and the platform quickly returned to early 2026 levels. CrowdStrike said Tycoon2FA continued to compromise email accounts and bypass multifactor authentication (MFA) using adversary-in-the-middle (AITM) interception, and it observed at least 30 suspected Tycoon2FA-enabled phishing incidents involving decoy and credential-capture pages, compromised domains, legitimate cloud-service redirection, IPv6 addresses tied to automated cloud logins, and AI-generated decoy pages.

    Show sources
    Open in new tab