Overview
- Acting under a U.S. court order in the Southern District of New York, Microsoft seized 330 active domains in a Europol-coordinated operation, taking Tycoon 2FA’s control panels and phishing pages offline.
- By mid-2025 the platform accounted for about 62% of phishing Microsoft blocked, generated tens of millions of emails each month, reached over 500,000 organizations, and was linked to roughly 96,000 distinct victims.
- Microsoft and Health-ISAC filed a civil complaint naming alleged creator Saad Fridi, as investigators pursue additional leads on operators, customers and funding connected to the service.
- A coalition including TrendAI, Proofpoint, Cloudflare, Intel471, eSentire, Resecurity, SpyCloud, Shadowserver and Coinbase provided telemetry and blockchain forensics that mapped infrastructure and traced payments.
- Tycoon 2FA’s toolkit intercepted credentials, one-time codes and session cookies to bypass MFA and maintain access unless sessions were revoked, driving fresh guidance for phishing-resistant authentication and continuous identity monitoring.