How Hackers Bypassed MFA With A $120 Phishing Kit - Until A Global Takedown Shut It Down
Bitdefender, Friday, March 6th, 2026
In a co-ordinated public-private operation between law enforcement agencies and cybersecurity industry partners one of the world's most prolific phishing-as-a-service platforms has been dismantled.
First appearing in August 2023, Tycoon 2FA was designed specifically to help fraudsters hack into accounts defended by multi-factor authentication and steal session cookies, and was responsible for tens of millions of fraudulent emails and almost tens of thousands of confirmed victims around the world.
What many computer users do not realise is that although enabling multi-factor authentication (MFA) on their Microsoft 365 or Gmail accounts is recommended and hardens their security against hackers, it does not make it impossible for them to be breached.