Dismantling a Global Phishing Network
Coinbase, Microsoft, and Europol executed a coordinated takedown of the Tycoon 2FA phishing network on March 4, 2026, dismantling its core infrastructure by seizing 330 associated domains, crucial in its credential-theft operations.
This operation, which involved law enforcement from multiple countries, including Lithuania, Latvia, Spain, Poland, Portugal, and the UK, highlighted the escalating partnership between technology companies and governmental agencies in combating cybercrime. The multi-faceted phishing operation, active since at least August 2023, was designed to circumvent multi-factor authentication (MFA) using adversary-in-the-middle attacks.
Rapid Growth of Tycoon 2FA
Tycoon 2FA became notorious for its scale and reach, generating millions of fraudulent emails each month and targeting nearly 100,000 organizations worldwide, including educational institutions and healthcare facilities. According to Microsoft, it accounted for approximately 62% of phishing attempts thwarted by their systems by mid-2025, marking a significant threat in cyberspace.
Operated by a subscription model, Tycoon 2FA was accessible to up to 2,000 users and had more than 24,000 domains registered as part of its infrastructure. Subscribers paid as little as $120 for access to this illicit service, which had reportedly received over $400,000 in cryptocurrency transactions, fueling its operations as a phishing-as-a-service platform.
Identifying the Alleged Operator
In response to the growing threats posed by Tycoon 2FA, Coinbase utilized blockchain forensics to trace transactions and pinpoint the alleged administrator of the network, Saad Fridi, located in Pakistan. Coinbase’s reconnaissance was instrumental in obtaining court orders for the domain seizures, enabling Microsoft to block these domains effectively.
The takedown operation aligns with broader trends in cybersecurity, as phishing attacks have been a primary vector for cybercrime in recent years. Reports indicate that phishing-related losses among investors dropped by 83% in 2025, a sharp contrast to the staggering $722 million lost the previous year. This decline coincides with intensified efforts from technology firms and law enforcement agencies in combating cyber threats.
Looking Ahead: Industry Implications
While this operation successfully disrupted a critical component of the phishing ecosystem, experts warn that other similar networks may spring up in response. The crackdown points to an emerging trend wherein collaborative efforts by technology companies and law enforcement could become standard practice for combating cybercrime globally.
The partnership formed during this operation emphasizes a pivotal shift in the fight against cybercrime, heightened by the urgent need for enhanced security measures across critical sectors. As phishing schemes evolve, the focus on public-private collaborations will likely intensify, establishing a framework for additional operations targeting other cybercriminal activities and potentially preventing losses of millions in the future.
