Overview
- Security firms on Monday said Tycoon2FA is again operating at or near early 2026 levels.
- Europol, Microsoft and authorities in six countries seized 330 domains on March 4, which briefly cut activity to about 25% on March 4–5.
- CrowdStrike reports the service still uses adversary-in-the-middle pages that steal session cookies after a CAPTCHA, with JavaScript that proxies logins and redirects through cloud services.
- The platform is powering business email compromise, thread hijacking, malicious SharePoint links, and cloud account takeovers that can lead to payroll or invoice fraud.
- Researchers saw new IPs and domains stand up within days and some old infrastructure still live, which underscores that takedowns without arrests are easy to bypass.