Trend Micro TrendAI has played a crucial role in the global takedown of Tycoon 2FA, a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA).
This operation was realised through extensive collaboration with Europol and various industry partners, including Cloudflare, Microsoft, and Proofpoint.
Launched in August 2023, Tycoon 2FA allowed cybercriminals to capture live authentication sessions using adversary-in-the-middle (AitM) techniques, providing them with real-time access to user credentials, one-time passcodes, and session cookies.
This capability effectively undermined the MFA protections relied upon by many enterprises, escalating the risk of large-scale account compromises.
At the time of its disruption, Tycoon 2FA boasted around 2,000 users and had utilised more than 24,000 domains, primarily targeting Microsoft 365 and other cloud services.
“This was not a single phishing campaign. It was an industrialised service built to make MFA bypass accessible to thousands of criminals. Identity is now the primary attack surface,” said Robert McArdle, director for cybercrime research at TrendAI. He emphasised that such operations shift the risk from isolated incidents to systemic vulnerabilities affecting numerous organisations.
The takedown operation illustrates the importance of coordinated intelligence sharing among law enforcement and private sector partners.
TrendAI had been monitoring Tycoon 2FA's infrastructure and operator behaviour over an extensive period, eventually linking the operation to individuals known as SaaadFridi and MrXaad. This intelligence was instrumental in supporting the collaborative enforcement action.
Despite this significant disruption, TrendAI cautions that threats persist. The nature of phishing-as-a-service operations means that the disruption of one service often leads to the emergence of others. Cybercriminals can resell harvested credentials on established criminal marketplaces, facilitating follow-up attacks such as business email compromise (BEC) and data theft.
As a response to this evolving threat landscape, TrendAI recommends several proactive strategies for organisations:
- Adopt phishing-resistant authentication: Move beyond traditional MFA to more robust authentication methods.
- Implement advanced security measures: Deploy email and collaboration security solutions capable of detecting lateral phishing and brand impersonation.
- Conduct continuous monitoring: Maintain vigilance over identity risk posture, acted upon with immediate response capabilities for anomalous behaviours.
- Use real-time inspection tools: Enable URL and web content inspection to identify fake login infrastructures effectively.
- Regular training and simulations: Conduct phishing simulation exercises to enhance employee awareness and reduce human risk factors.
“The disruption of Tycoon 2FA demonstrates the power of actionable intelligence in cybersecurity,” McArdle added.
“We will continue monitoring operators and the infrastructure used to perpetuate these services to safeguard our customers and increase the operational costs for those engaged in cybercrime.” Robert McArdle
