← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown
WHITE PetrP.73 2026-03-23 Modified: 2026-04-22
8
IOCs
LOW VOLUME
The Tycoon2FA phishing-as-a-service (PhaaS) platform, which emerged in 2023, was recently disrupted by a coordinated law enforcement effort led by Europol, seizing 330 domains that were primarily used for its operations. This platform enabled cybercriminals to bypass multifactor authentication, making it a significant player in phishing activities. Prior to the disruption, Tycoon2FA was responsible for a large percentage of phishing attempts, reportedly sending over 30 million malicious emails in one month.
tycoon2famarchfalcon completettpseuropolcrowdstrikemicrosoftphaasseptemberurlssharepointaitm phaas
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (8)
All FileHash-MD5 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 9ee1bf400ea645748830bc408aa2b88a 2026-03-23
domain omegaenergy.com.np 2026-03-23
domain traelyst.dk 2026-03-23
hostname annotation.hanoufra.ltd 2026-03-23
hostname awssecrets.saidiosea.dev 2026-03-23
hostname electron.c8zoeh.com 2026-03-23
hostname hub.thadrodrai.business 2026-03-23
hostname twig.lifeworkinc.com 2026-03-23
References (1)
↗ https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/