After a problem with their infrastructure, Tycoon2FA operators start phishing for cloud accounts again.

Cybercriminals behind Tycoon2FA, a phishing-as-a-service (PhaaS) platform, have started going after cloud accounts again with almost full force, even though law enforcement took down the platform on March 4, 2026. Europol worked with authorities from six other countries to seize 330 domains that were the backbone of the platform's infrastructure. This was one of the most visible attempts to shut down a subscription-based crimeware service.

But operators had already started to rebuild their businesses on the same day that announcement was made, showing how strong this threat has become. Find out more about network security tools for SIM cards. Viruses and Malware Tycoon2FA first showed up in 2023 as a subscription-based toolkit that hackers could use to get around multifactor authentication (MFA) protections.

The platform uses adversary-in-the-middle (AITM) methods to sit between a victim and a real login page and grab live authentication sessions as they happen. MFA should not be seen as the last line of defense by businesses. Security teams should keep an eye out for strange inbox rule creation and hidden folder activity in Microsoft Exchange, which are common early signs of business email compromise (BEC) staging.

Employees need regular training to be able to spot phishing emails that come through trusted platforms or URL shorteners. Companies should use conditional access policies that flag logins from strange IPv6 ranges or places that aren't expected. It's still very important to keep an eye on DNS resolution activity and cloud authentication logs so that you can find Tycoon2FA-related intrusions as soon as they happen.