Microsoft disrupted the infrastructure behind Tycoon 2FA, the company said in a company blog post, removing domains that supported phishing control panels and fake login pages used to impersonate legitimate users.
The action was taken under a court order from the U.S. District Court for the Southern District of New York and coordinated with Europol’s Cyber Intelligence Extension Programme (CIEP), which brought public and private partners together for cross-border disruption.
Acting with international partners, Microsoft seized 330 active domains that powered Tycoon 2FA’s core services. Steven Masada, Assistant General Counsel in Microsoft’s Digital Crimes Unit, wrote that the move aims to "fragment the impersonation economy" and that "identity, not infrastructure, has become the primary target," in the company blog post.
Related reading
- Microsoft chief tests AI agent that completes multi-step tasks without manual handoffs
- Microsoft expands Work IQ to power Microsoft 365 Copilot
- Microsoft to expand Cloud PC device range with ASUS and Dell hardware
Microsoft said Tycoon 2FA is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers. Healthcare and education faced heavy impact: more than 100 Health-ISAC members were phished, and in New York at least two hospitals, six municipal schools, and three universities saw attempted or successful compromises. Industry and law enforcement partners named in the announcement include Proofpoint, Intel 471, eSentire, Cloudflare, SpyCloud, Resecurity, Coinbase, and the Shadowserver Foundation.
The blog post says the Digital Crimes Unit will continue applying lessons from this and prior disruptions to degrade services that enable large-scale impersonation, raise the cost of cybercrime, and limit further harm through sustained, coordinated pressure.
The recap
- Seized 330 active domains powering Tycoon 2FA infrastructure.
- Tycoon 2FA linked to 96,000 phishing victims worldwide.
- Microsoft will continue disruptions to fragment impersonation economy.