Coinbase, Microsoft, Europol Disrupt Major Phishing Platform, 330 Domains Taken Down

A global crackdown dismantles Tycoon 2FA, a phishing platform that bypassed multi-factor authentication and fueled massive cyberattacks, as Coinbase, Microsoft, and Europol coordinate a sweeping effort to disrupt infrastructure behind widespread credential theft.

Coinbase, Microsoft, Europol Coordinate Crackdown as Tycoon 2FA Sends Millions of Phishing Emails Monthly

International coordination between technology firms and law enforcement is expanding to address cybercrime. Crypto exchange Coinbase (Nasdaq: COIN) shared on March 4 that it worked with Microsoft, Europol, and industry partners to disrupt Tycoon 2FA. In a separate announcement on the same day, Europol detailed the global operation targeting the phishing platform.

Coinbase stated:

“We partnered with Microsoft, Europol, and other industry partners to disrupt Tycoon 2FA (Tycoon), a phishing-as-a-service platform used to steal credentials and bypass MFA by capturing session tokens.”

MFA, or multi-factor authentication, is a security method that requires users to verify their identity using two or more factors, such as a password combined with a one-time code, authentication app approval, or hardware security key. Europol’s European Cybercrime Centre (EC3) coordinated the international effort and facilitated intelligence sharing through its Cyber Intelligence Extension Programme, which connects private-sector analysts and investigators working on cross-border cybercrime cases.

Active since at least August 2023, Tycoon 2FA functioned as a subscription-based toolkit that enabled cybercriminals to intercept live authentication sessions and bypass multi-factor authentication protections. Investigators found the platform generated tens of millions of phishing emails each month and enabled unauthorized access to nearly 100,000 organizations worldwide, including schools, hospitals, and public institutions.

Noting that “By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft,” Europol detailed:

“As part of the disruption, 330 domains forming the core infrastructure of the criminal service, including phishing pages and control panels, were taken down.”

The technical disruption involved Microsoft and several private-sector partners while law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom carried out seizures and enforcement actions coordinated through Europol. Additional organizations contributing to the investigation included Cloudflare, Intel471, Proofpoint, Shadowserver Foundation, Spycloud, and Trend Micro. Investigators also traced cryptocurrency payment flows linked to the platform’s funding and infrastructure.

Coinbase stressed: “Disruptions like this work best when they’re sustained. We’ll keep partnering with Microsoft, law enforcement, and industry peers to identify operators, raise the cost of running these services, and help prevent crypto from being used to fund cybercrime.”

FAQ 🧭

• Why does the Tycoon 2FA crackdown matter for investors?

It signals stronger collaboration between tech firms, crypto companies, and law enforcement to protect digital platforms and reduce cybercrime risks.

• How did Tycoon 2FA bypass security systems?

The phishing toolkit intercepted live login sessions and captured authentication tokens, allowing hackers to bypass multi-factor authentication.

• What role did Coinbase play in the investigation?

Coinbase partnered with Microsoft, Europol, and security firms to track infrastructure, analyze crypto payment flows, and disrupt the phishing network.

• Why is global coordination against cybercrime increasing?

Authorities and tech companies are sharing intelligence and resources to combat sophisticated cybercrime operations that operate across borders.