Coinbase and Microsoft, with Europol, seize 330 domains and shut down Tycoon 2FA phishing service

Published: 2026-03-04 20:26:38 |

Coinbase, Microsoft, Europol and ten partners dismantled Tycoon 2FA, a phishing‑as‑a‑service platform that bypassed multi-factor authentication by harvesting session cookies and tokens. Tycoon, active since August 2023, operated more than 24,000 domains and served up to 2,000 users, distributing tens of millions of fraudulent emails that reached over 500,000 organizations monthly and enabling thousands of threat actors to steal credentials at scale. Under a U.S. court order, Microsoft seized 330 active domains and identified the primary developer as Saad Fridi in Pakistan. Coinbase traced the cryptocurrency payments that funded Tycoon and supported civil action to seize domains; law enforcement investigations into buyers and users continue. The takedown follows industry reports (Chainalysis, Scam Sniffer) that phishing‑as‑a‑service has industrialized crypto scams — Scam Sniffer estimates $83.85 million in crypto phishing losses last year, down from $494 million in 2024. Key implications: large‑scale MFA bypass tools materially increase credential and fund theft risk; exchanges and cybersecurity firms are collaborating more closely to trace crypto funding and assist seizures.

Neutral

The takedown reduces an active phishing infrastructure and demonstrates stronger coordination between exchanges, tech firms and law enforcement — a stabilizing factor for market trust. Coinbase’s tracing of crypto funding and domain seizures can curb future large-scale scams and reduce exploit vectors, which is constructive for overall market security. However, the core problem — availability of phishing‑as‑a‑service— remains systemic: the service model persists, low-cost phishing kits still circulate, and other operators can fill the void. Short term: expect modest positive sentiment as risk from this specific service falls and news may briefly support reduced scam flows; targeted tokens and exchange reputations could see slight relief. Long term: the action is positive for institutional trust and regulatory enforcement precedent, but does not eliminate phishing risks, so market vulnerability to social‑engineering and on‑chain fund flows persists. Similar past takedowns (phishing kit busts, mixer domain seizures) produced temporary reductions in scam volume but scams rebounded as criminals adapt, suggesting a neutral net market impact over time.