Image: monticello / Shutterstock.com
An internationally coordinated crackdown on cybercrime is causing a stir: investigators from several European countries have shut down the Tycoon2FA phishing platform. A total of 330 domains that were part of the core infrastructure were taken offline. Heise Online reports on the case.
Europol led the operation. Law enforcement agencies from Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom were involved. Companies from the tech industry also supported the investigation, including Cloudflare, Coinbase, Microsoft, and Trend Micro.
Tycoon2FA was considered one of the largest platforms of its kind. It enabled cybercriminals worldwide to launch attacks and obtain sensitive access data.
A tool for mass phishing attacks
According to Europol, the platform had been active since at least August 2023. During this time, thousands of criminals used the service to take over email accounts and cloud access.
What was particularly dangerous was that Tycoon2FA was even able to bypass protective mechanisms that are actually intended to provide additional security, such as two-factor authentication.
The scale of the operation is enormous. Europol explains:
"The platform generated tens of millions of phishing emails every month and enabled unauthorized access to nearly 100,000 organizations worldwide, including schools, hospitals, and public institutions."
This meant that the attacks were directed not only against companies, but also against public institutions.
Attack at a reasonable price
It is also alarming how easy it was to access this system. According to the tech portal Bleeping Computer, interested parties could take out a subscription via Telegram. For around $120, they were given ten days' access to the platform – essentially a low-threshold introductory offer.
The method was deceptively simple. The platform provided fake login pages that were modeled on well-known services such as Microsoft 365, Outlook, OneDrive, SharePoint, and Gmail. Users believed they were logging into a genuine service and entered their login details.
Microsoft explained:
"The Tycoon2FA platform allowed attackers to impersonate trusted brands by mimicking login pages for services such as Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. It also allowed attackers to permanently embed themselves and access sensitive information even after passwords were reset, unless active sessions and tokens were explicitly revoked."
Cooperation brings success
The investigation began with information provided by the security company Trend Micro. This information was shared via Europol's network for combating cybercrime.
Investigators and IT companies subsequently worked closely together to analyze the platform's infrastructure. This ultimately resulted in the coordinated shutdown of the central domains.
comment
At first glance, this success appears to be a major victory. At the same time, however, the case highlights a structural problem: cybercrime is increasingly becoming a business model. Attack software is rented out, infrastructure is sold, and knowledge is disseminated via messenger services. When one platform is shut down, the next one often quickly emerges. This is precisely where the real challenge lies.
Source: heise.de, bleepingcomputer.com
