Disruption targets Tycoon 2FA, popular AiTM PhaaS
Proofpoint, Wednesday, March 4th, 2026
Tycoon 2FA operates as an AitM phishing kit. Its primary function is to harvest usernames, passwords, and Microsoft 365 and Gmail session cookies. Attackers use these cookies to circumvent multifactor authentication (MFA) access controls during subsequent authentication. That allows them to achieve full account takeover (ATO) and gain unauthorized access to a user's accounts, systems and cloud services-even those that have MFA as an additional security measure.
Tycoon 2FA is one of the most popular phishing-as-a-service (PhaaS) platforms currently used by threat actors, and highest volume adversary-in-the-middle (AiTM) phishing threat in Proofpoint data.
Tycoon 2FA infrastructure was disrupted by public and private partners, including Proofpoint, Microsoft, Europol, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI, and additional European law enforcement partners.
The Tycoon 2FA disruption and associated lawsuit naming the creator will have a significant impact on Tycoon 2FA, related infrastructure, and threat actor activity.
Proofpoint was proud to assist in the law enforcement and private sector investigations into Tycoon 2FA activity and supported Microsoft's action with data, including malicious domains and information related to Tycoon 2FA campaigns.