Europol, in collaboration with Coinbase, Microsoft, and other tech companies, has shut down the Tycoon 2FA service, which provided phishing software.
Domain placeholder for Tycoon. Source: Europol.
Active since at least August 2023, Tycoon was one of the largest distributors of data theft tools. According to law enforcement, Tycoon accounted for approximately 62% of all phishing attacks blocked by Microsoft.
The platform's tools allowed cybercriminals to create convincing clones of original websites and intercept 2FA passwords by accessing cookies.
As part of their collaboration with Europol, fintech firms provided "technical expertise and infrastructure analysis."
In a separate press release, Coinbase detailed its role in the operation. The cryptocurrency exchange tracked payment channels that funded Tycoon.
"Platforms offering phishing services operate like illegal software sales services: subscriptions, resellers, support, and regular income. Some of these payments are made through cryptocurrency, and blockchain transactions create leads for investigations that can help link operators, buyers, and the relevant infrastructure," company representatives noted.
Additionally, Coinbase helped identify the administrator of Tycoon, believed to be Pakistani Saad Friedi. Meanwhile, Microsoft filed a civil lawsuit that led to the seizure of key Tycoon domains.
Exchange representatives stated they would continue working to hold clients of the illegal platform accountable.
"When criminals cannot receive money and maintain their infrastructure, their 'business model' collapses," emphasized Coinbase.
It is worth noting that in 2025, the amount stolen through phishing attacks decreased by 83% to $83.85 million, according to data from SlowMist.