Tycoon 2FA Disrupted After Microsoft, Coinbase and Europol Action
Context and Chronology
A joint operation combining public law enforcement and private technology firms removed critical nodes belonging to Tycoon 2FA, a widely used phishing-as-a-service platform. As part of the action, Microsoft blocked 330 domains while investigators seized core infrastructure and followed payment trails to identify a suspect administrator. Coinbase mapped blockchain flows tied to platform financing, providing attribution leads that narrowed the investigative vector. The coalition model fused cloud takedown capabilities with forensic tracing to create operational pressure on the service and its ecosystem.
Technically, the platform combined high-fidelity impersonation pages with active session-cookie and token capture, enabling automated bypasses of multi-factor protections. That blend turned typical credential phishing into a reliable mechanism for account takeovers, business email compromise, and targeted financial fraud. By harvesting session tokens from browsers, adversaries could impersonate authenticated users without needing the second factor in many flows. Defenders now have clearer forensic artifacts linking domain infrastructure, phishing kits, and on‑chain payments.
The takedown comes against a backdrop of outsized influence by the service: security telemetry tied the platform to a dominant share of blocked phishing activity in 2025, including tens of millions of malicious messages in peak months. Industry monitors have repeatedly flagged phishing as a top-loss vector for crypto holders and service customers, making an attacker's supply chain a priority target for disruption. This event elevates private–public partnerships as a playbook for degrading commoditized cybercrime offerings while exposing limits around persistence and jurisdictional reach. For detailed official context see the Europol release.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
U.S. Panera Bread Customer Data Dumped After ShinyHunters Exploit Microsoft Entra SSO
ShinyHunters published a large archive of customer contact data it says was taken from Panera Bread after a failed extortion attempt, claiming about 5.1 million unique email addresses within an asserted 14 million-record haul. Researchers say the Panera intrusion matches a wider, telephone-based social-engineering trend—real-time vishing paired with browser phishing toolkits—and a separate unsecured infostealer cache of roughly 149 million credentials that together amplify risks of credential stuffing and targeted account takeover.
Moonlock Lab: ClickFix Campaigns Leverage Fake VCs and Extension Hijack
Researchers link a coordinated ClickFix-style campaign that combines professional-identity impersonation with hijacked browser extensions to trick victims into pasting and executing clipboard payloads; the delivery chain has been observed installing a Python RAT on selected enterprise hosts and affected an estimated 7,000 extension users. The episode highlights converging supply‑chain and social‑engineering playbooks — from fake VC recruiting pages to crash‑then‑paste extension tricks — and calls for stronger extension vetting, developer-account controls and clipboard/shell telemetry.
Supabase Access Disrupted After Indian Blocking Order
Open-source developer platform Supabase faced ordered access restrictions in India under Section 69A, producing patchy service for engineers and halting some sign-ups. The move risks developer churn, accelerates localization pressures, and hands regulators more leverage over cloud-reliant startups.
Ransomware Shift: Low Payouts Force Return to Encryption and Targeted Disruption
Mass data-theft campaigns have lost their profit edge as corporate resistance to paying ransoms grows, prompting ransomware operators to favor encryption and more disruptive tactics. High-profile law-enforcement seizures of prominent forums (e.g., RAMP) are adding friction for criminals but also driving them into more private, invitation-only channels.
CrowdStrike: AI-Driven Attacks Surge and Collapse Detection Windows
CrowdStrike reports an 89% rise in AI-enabled attacks and an average breakout time of 29 minutes (fastest observed: 27 seconds). Independent industry reporting (IBM, Amazon, vendor incident timelines) shows related but differently scoped increases — compressed exploit windows, automated reconnaissance campaigns that commandeered hundreds of perimeter devices, and rapid moves from disclosure to active targeting — underscoring an urgent need for cross-source telemetry, identity-first controls, and faster containment playbooks.
Google disrupts UNC2814 GridTide espionage campaign
Google and partners dismantled a cloud‑hosted espionage operation that used spreadsheets and SaaS APIs as covert command channels, attributed to the actor UNC2814 and a backdoor called GridTide . The takedown affects at least 53 organizations across 42 countries and highlights an accelerating trend: cloud services are becoming primary vectors for stealthy state‑linked intrusions.
Massive 149M credential trove exposes risks from infostealer malware to crypto and government accounts
A researcher found a publicly accessible collection of roughly 149 million stolen logins harvested by credential-stealing malware, including hundreds of thousands tied to major crypto platforms and numerous government-related accounts. The exposure stems from infected end-user devices rather than platform breaches, but it raises urgent questions about account hygiene, phishing risk, and detection across the crypto and social-media ecosystems.
Investigation Links ShinyHunters to Broad Vishing Campaign Targeting Over 100 Organizations
Researchers say a coordinated campaign combined telephone-based social engineering with browser-resident phishing toolkits to target more than 100 organisations across sectors, manipulating live authentication sessions to bypass MFA and SSO protections. A contemporaneous but separate infostealer disclosure — an unsecured cache of roughly 149 million credential pairs captured from endpoints — heightens the risk of credential-stuffing and targeted vishing, complicating response and containment.