Coinbase, in collaboration with Microsoft and Europol, has disrupted the Tycoon 2FA phishing-as-a-service platform, used by cybercriminals to steal login credentials and bypass multi-factor authentication (MFA). The coordinated action targeted the platform’s infrastructure through domain seizures and financial tracing, linking its operations to an individual based in Pakistan.
Coinbase said it worked with Microsoft, Europol, and other industry partners to disrupt Tycoon 2FA, a phishing-as-a-service platform used by cybercriminals to steal login credentials and bypass multi-factor authentication [MFA]. The effort combined legal action, infrastructure takedowns, and blockchain analysis to trace the financial flows that funded the phishing network.
According to Coinbase, Microsoft filed a civil action that led to a court-authorized seizure of key domains, effectively taking the service offline. Tycoon operated as a subscription-based phishing toolkit, enabling attackers to launch credential-harvesting campaigns using cloned login pages that mimic trusted services such as Microsoft 365.
The platform enabled “attackers to capture usernames, passwords, and authentication codes” in real time. More critically, it allowed criminals to steal session cookies used to access accounts without triggering MFA prompts.
Coinbase’s Global Intelligence team said it traced cryptocurrency payments used to fund Tycoon’s operations. The investigation also helped attribute Tycoon’s administration to Saad Fridi, who, Coinbase said, is believed to be based in Pakistan.
The disruption comes amid persistent security challenges across the crypto sector. A recent report showed that crypto-related hacks resulted in $112.53 million in losses across January and February 2026, with social engineering remaining a major driver of losses.
Coinbase said dismantling services like Tycoon requires targeting both the infrastructure that powers phishing campaigns and the financial networks that support them. The company said it will continue working with technology companies and law enforcement to prevent cryptocurrency from being used to fund cybercrime.
