The largest phishing platform in the world was dismantled on March 4. By March 6, it was operational again.
On March 4, 2026, Europol, Microsoft, and a coalition of eleven private-sector partners executed one of the most significant phishing infrastructure disruptions in recent memory. The target was Tycoon 2FA, a phishing-as-a-service platform that had grown from a niche Telegram offering into the single largest source of phishing Microsoft blocked, responsible for roughly 62% of all phishing attempts across its ecosystem and more than 30 million malicious emails per month by mid-2025. The operation seized 330 domains, coordinated law enforcement actions across six countries, and identified the platform’s primary developer. Criminal subscribers logging into their dashboards were greeted with a seizure notice listing every partner involved. As coordinated disruptions go, this one was comprehensive.
It was also, by the available evidence, temporary. CrowdStrike reported that campaign volumes dropped to roughly 25% of pre-disruption levels on March 4 and 5, then returned to baseline within days. The group’s tactics, techniques, and procedures showed no changes. At least 30 suspected Tycoon 2FA-enabled phishing incidents were observed between March 4 and 6 alone, and operators continued using compromised domains and legitimate cloud services for redirection. As Infosecurity Magazine noted, the rapid recovery highlights a structural reality that the security community has been reluctant to state plainly: infrastructure takedowns, absent arrests or physical asset seizures, impose costs on attackers but do not stop them.
What a $120 phishing empire looks like
Understanding why Tycoon 2FA bounced back so quickly requires understanding what made it successful in the first place. This was not a bespoke hacking operation. It was a commercial product, sold through Telegram for as little as $120 for ten days of access, that gave subscribers everything they needed to bypass the multi-factor authentication most organizations treat as their primary account protection. The kit sat between the victim and a legitimate login page, relaying authentication prompts in real time and capturing the session tokens that grant full access. From the victim’s perspective, the login worked normally. From the attacker’s, it yielded a fully authenticated session.
That accessibility is what drove the scale. By the time of the disruption, Tycoon 2FA had roughly 2,000 active subscribers and had used more than 30,000 phishing domains since its 2023 launch. Microsoft connected the platform to 96,000 distinct phishing victims, with healthcare and education absorbing a disproportionate share. The Cloudflare team documented how the kit abused Workers to host malicious logic while redirecting security researchers to benign sites, making the infrastructure difficult to identify even when analysts knew what to look for.
The platform existed within a broader ecosystem of interdependent criminal services, a point Microsoft emphasized in its analysis of the disruption. Tycoon 2FA captured credentials and session tokens, but other services handled mass email delivery, malware distribution, and hosting. RedVDS, which Microsoft disrupted in January 2026, provided inexpensive virtual machines that attackers paired with Tycoon 2FA to run campaigns at scale. The arrested developer of RaccoonO365, a competing phishing kit, had been in communication with Tycoon 2FA’s operator, illustrating how tightly interconnected the phishing economy has become. Disrupting one node creates pressure across the network, but the network itself is designed to absorb that pressure and reroute.
Why takedowns are necessary but insufficient
None of this is an argument against takedowns. Microsoft’s sustained campaign against phishing infrastructure, which has targeted Lumma Stealer, RaccoonO365, Fake ONNX, and RedVDS in addition to Tycoon 2FA, has demonstrably degraded the operational environment for attackers. RedVDS lost more than 95% of its infrastructure. Several operators tightened access controls, retreated into closed channels, or shut down entirely. The reputational damage alone carries value in an ecosystem where trust between criminal service providers and their customers is a commercial asset. Takedowns raise the cost of doing business, and that cost matters.
The problem is that the cost is often temporary, and the infrastructure economics of phishing-as-a-service make recovery inexpensive. A new domain costs a few dollars. A new Cloudflare Workers instance costs nothing. And the subscribers who paid $120 for access to Tycoon 2FA’s panel represent a ready-made customer base that will migrate to successor platforms the moment they become available. CrowdStrike’s observation that Tycoon 2FA’s TTPs were unchanged post-takedown suggests the operational playbook survived even as the infrastructure was temporarily disrupted. The knowledge, the tooling, and the demand all persist.
The Bottom Line
Takedowns remain essential for imposing costs, disrupting active campaigns, and buying time. But they are a speed-dependent capability, not a resolution. When the attacker’s infrastructure can be rebuilt faster than abuse reports can be processed, the value of a takedown is measured in hours of disruption rather than permanent removal. The organizations that convert those hours into meaningful protection are the ones with continuous monitoring that detects replacement infrastructure as soon as it appears — not the ones that treat the takedown itself as the endpoint.
Key Takeaways
- Tycoon 2FA accounted for 62% of all phishing Microsoft blocked and sent over 30 million malicious emails per month before a coordinated Europol-Microsoft operation seized 330 domains on March 4.
- CrowdStrike observed campaign volumes drop to 25% on the day of the takedown, then return to pre-disruption levels within days, with tactics unchanged.
- The platform’s $120 entry price and subscription-based model created a customer base that can migrate to successor services faster than infrastructure can be permanently dismantled.
- Takedowns are essential for imposing costs on attackers, but their value is measured in hours of disruption rather than permanent removal, making continuous detection of replacement infrastructure the critical complement.
