Tycoon 2FA Takedown: Coinbase, Microsoft & Europol Trace Phishing-as-a-Service on Blockchain

Coinbase, Microsoft and Europol have dismantled a major phishing-as-a-service operation known as Tycoon 2FA, using blockchain tracing and cross-border cooperation to help identify the platform’s alleged administrator and multiple customers. Tycoon 2FA operated as a subscription toolkit that let criminals intercept live authentication sessions and capture session cookies—effectively bypassing multi-factor authentication and granting unauthorised access to accounts even when extra security layers were in place. According to Europol, the service was active since at least 2023 and by mid-2025 accounted for nearly 62% of the phishing attempts Microsoft blocked. Coinbase says it traced blockchain-based transactions tied to Tycoon, information that aided law enforcement in locating those behind the service and some of its users. “We’re actively working to identify Tycoon purchasers and will continue supporting law enforcement efforts focused on the people who bought and used this service to target victims,” Coinbase added. The platform operated at scale: Europol estimates Tycoon generated tens of millions of phishing emails each month and enabled unauthorised access to almost 100,000 organisations worldwide, including schools, hospitals and public institutions. The disruption marks a significant tactical win against a pervasive criminal service. Despite an overall fall in phishing losses—reported as an 83% decline in 2025 versus the previous year—attackers are shifting toward more sophisticated blockchain-related exploits. Security researchers highlight techniques tied to EIP-7702, Permit and Permit2 signatures, and transfer-based attacks. CertiK additionally noted that phishing remained the third most costly attack vector in 2025. The takedown underscores two takeaways for the crypto ecosystem: chain-analysis can be a powerful tool for tracing funds and disrupting cybercriminal services, and defenders must stay ahead of increasingly complex, blockchain-native phishing and signature-exploit methods. Read more AI-generated news on: undefined/news