Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown

On March 4, 2026 Europol and international partners disrupted Tycoon2FA — a subscription-based PhaaS that used AITM to intercept authentication sessions and bypass MFA — by seizing 330 domains; CrowdStrike observed an initial decline in activity followed by a rapid return to pre-takedown cloud compromise levels, documenting persistent TTPs, numerous phishing domains, and diverse post-disruption phishing techniques that continue to pose significant risk to cloud/email environments.