Coinbase said it worked with Microsoft, Europol, and other industry partners to disrupt Tycoon 2FA, a phishing-as-a-service platform used by cybercriminals to steal login credentials and bypass multi-factor authentication [MFA].
The coordinated action targeted infrastructure powering Tycoon’s operations, including domains hosting the platform’s control panels and phishing pages.
According to Coinbase, Microsoft filed a civil action that led to a court-authorized seizure of key domains, effectively taking the service offline.
The effort combined legal action, infrastructure takedowns, and blockchain analysis to trace the financial flows that funded the phishing network.
Phishing platform designed to bypass MFA
Tycoon operated as a subscription-based phishing toolkit, enabling attackers to launch credential-harvesting campaigns using cloned login pages that mimic trusted services such as Microsoft 365 and other widely used platforms.
The platform enabled attackers to capture usernames, passwords, and authentication codes in real time. More critically, it allowed criminals to steal session cookies used to access accounts without triggering MFA prompts.
Security experts say that capability makes phishing campaigns significantly more effective. It turns credential theft into a gateway for broader attacks such as account takeovers, business email compromise, and invoice fraud.
Coinbase traced crypto payments funding the service
Coinbase’s Global Intelligence team said it traced cryptocurrency payments used to fund Tycoon’s operations. Phishing-as-a-service platforms often operate like illicit software businesses, with subscription models, resellers, and recurring revenue streams.
Blockchain analysis helped investigators identify financial connections between the platform’s operators and related infrastructure, according to the company.
The investigation also helped attribute Tycoon’s administration to Saad Fridi, who, Coinbase said, is believed to be based in Pakistan.
Phishing attacks remain a major crypto threat
The disruption comes amid persistent security challenges across the crypto sector.
A recent report showed that crypto-related hacks resulted in $112.53 million in losses across January and February 2026. Incidents were concentrated in a small number of major exploits.
Beyond protocol vulnerabilities, social engineering remains a major driver of losses. This highlights the scale of credential-theft campaigns targeting crypto users and financial platforms.
Platforms like Tycoon have contributed to that trend by industrializing phishing operations, allowing criminals to run campaigns through ready-made toolkits and subscription services.
Pressure on the phishing economy
Coinbase said dismantling services like Tycoon requires targeting both the infrastructure that powers phishing campaigns and the financial networks that support them.
The company said it will continue working with technology companies and law enforcement to prevent cryptocurrency from being used to fund cybercrime.
Final Summary
- Coinbase and Microsoft helped dismantle Tycoon 2FA, a phishing-as-a-service platform used to steal credentials and bypass MFA protections.
- The disruption comes as phishing attacks remain a major driver of crypto losses, with security data showing hundreds of millions stolen through social-engineering campaigns.
