On March 4, 2026, Europol and its partners around the world said that Tycoon2FA, a major phishing-as-a-service platform, had been technically shut down This article explores tycoon2fa major phishing. . This service let hackers get around multifactor authentication and break into cloud email accounts.
Authorities took control of 330 domains that were the main part of the platform's infrastructure. Even though the coordinated takedown was huge, cybersecurity researchers saw that the disruption was only temporary. Tycoon2 FA activity quickly went back to normal after a brief drop to 25% of its normal campaign volume on March 4 and 5. This quick recovery shows how strong modern cybercriminals are.
To fight off persistent phishing threats, companies need to keep an eye on their cloud environments all the time and look for strange inbox rules.
Tycoon 2FA will only keep working if its network of domains and hosting providers keeps changing. Threat actors are using newly registered domains like 811inboard[.]aeroprimelink[.]za[. ]com, annotation[.]hanoufra[.
]ltd, and awssecrets[.]saidiosea[.]dev. They are also abusing third-party domains that have been hacked, like pass[.]aeroprime[.]co[. ]uk and traelyst[.]dk. New M247 Europe SRL IPs, like 2a0d:5600:8:2e:0:1:1d6e:ff40, are sending automated logins.
