How Did Europol and TrendAI Stop the Tycoon2FA MFA Bypass Platform?

Home » Cybersecurity » How Did Europol and TrendAI Stop the Tycoon2FA MFA Bypass Platform?

Table of Contents

What Does the Tycoon2FA Takedown Mean for the Future of MFA Security?
The Tycoon2FA Takedown
Platform Mechanics and Scope
Tracking the Core Operators
Supply Chain Disruption
Essential Security Measures

What Does the Tycoon2FA Takedown Mean for the Future of MFA Security?

The Tycoon2FA Takedown

Europol recently seized and dismantled Tycoon2FA. This phishing-as-a-service platform helped criminals bypass multi-factor authentication (MFA) to conduct massive account takeovers. A global consortium of cybersecurity companies supported law enforcement during this operation. TrendAI™ Threat Intelligence directly contributed by tracking the infrastructure and attributing the platform to specific perpetrators.

Platform Mechanics and Scope

Tycoon2FA launched in August 2023 as a subscription-based toolkit utilizing adversary-in-the-middle techniques. The system intercepted usernames, passwords, and one-time passwords in real time. The platform also hijacked active authentication sessions to steal session cookies. Attackers reused these cookies to bypass MFA protections on global business accounts. Before its destruction, the platform hosted roughly 2,000 users and deployed over 24,000 domains targeting Microsoft 365.

Tracking the Core Operators

TrendAI™ researchers monitored the platform infrastructure and operator behavior over an extended period. Investigators successfully attributed the operation to a threat actor using the pseudonyms SaaadFridi and Mr_Xaad in November 2025. Security experts identified this individual as the primary developer and operator. Historical data indicated the actor transitioned from basic web defacement to developing industrial-scale phishing kits. TrendAI™ shared these crucial operational insights with Europol to orchestrate the seizure.

Supply Chain Disruption

Industrialized phishing platforms lower the technical barrier for cybercriminals. Identity compromise serves as the primary entry point for modern attacks. Criminals sell stolen credentials and session tokens on underground marketplaces to access brokers. Buyers leverage these stolen assets to execute business email compromise, data theft, and ransomware operations. Dismantling Tycoon2FA severely disrupted this ecosystem and protected countless potential victims.

Essential Security Measures

Organizations must recognize that standard MFA cannot prevent adversary-in-the-middle attacks. Companies should implement layered defenses to protect user identities.

Enforce strict conditional access policies and utilize phishing-resistant authentication methods.
Deploy advanced security tools to detect lateral phishing and corporate impersonation attempts.
Check URLs in real time and analyze web content to block fraudulent login portals.
Monitor identity risks continuously to neutralize anomalous session behavior immediately.
Educate personnel through regular phishing simulations and targeted security awareness training.