Prepared by: Brad Morgan, Head of Managed Services | Last update: 10 March 2026
A coordinated international operation has disrupted one of the most prolific phishing platforms on the internet and shut down a major marketplace for stolen credentials, marking a notable moment in the fight against cybercrime.
Law enforcement agencies and private sector partners including Europol, the Federal Bureau of Investigation, Microsoft and Coinbase moved this week against Tycoon 2FA, a phishing-as-a-service platform used to run large-scale account takeover campaigns, while authorities also seized LeakBase, an underground forum where compromised data and credentials were traded.
For security teams that track phishing activity daily, the takedowns represent a meaningful disruption to attacker infrastructure. However, experience shows these operations rarely eliminate the underlying demand; operators typically migrate to new services, meaning the broader threat is unlikely to disappear.
Tycoon 2FA was not just another phishing kit, it was an industrialised phishing platform operating at global scale.
Since emerging in August 2023 it has been linked to:
Over 64,000 phishing incidents and tens of thousands of malicious domains
Tens of millions of phishing emails each month, targeting more than 500,000 organisations globally.
Approximately 62 percent of phishing attempts blocked by Microsoft as of mid-2025
Nearly 100,000 compromised organisations, including schools, healthcare providers and public institutions
Around 96,000 confirmed phishing victims, including more than 55,000 Microsoft customers
Instead of simply stealing usernames and passwords, the platform intercepted authentication sessions in real time. This allowed attackers to capture session cookies and authentication codes generated by mobile authenticator applications.
As a result, attackers could bypass traditional multi-factor authentication and maintain access even after passwords were reset, unless active sessions and authentication tokens were explicitly revoked.
Access to the platform was also inexpensive. Subscriptions reportedly started at around 120 US dollars for 10 days, lowering the barrier for criminals with very limited technical skills.
Law enforcement and industry partners disrupted roughly 330 domains linked to the infrastructure and the alleged primary developer has reportedly been identified.
LeakBase, dismantled during Operation Leak in early March 2026, served a different but complementary role. With more than 142,000 members, it functioned as a marketplace for stealer logs, stolen credentials, financial data and compromised databases. Approximately 100 enforcement actions were carried out globally targeting 37 of the forum's most active users.
Combined with earlier operations such as Microsoft's seizure of 338 domains linked to RaccoonO365, these disruptions reflect increasing international cooperation against cybercrime infrastructure.
But they do not remove the underlying demand.
Phishing-as-a-service platforms exist because there is a large market of operators who want to run sophisticated phishing campaigns without building the tooling themselves.
Tycoon 2FA reportedly supported around 2,000 active operators, and they still exist. When infrastructure like this is disrupted, the demand does not disappear, it migrates.
This pattern has repeated across the cybercrime ecosystem for years. A platform is disrupted, operators disperse, and within weeks the community reorganises around the next available service. Early replacements may be less polished or less reliable, but the capability returns quickly.
The statistic that should concern most security leaders is this:
59 percent of successfully compromised accounts in 2025 had multi-factor authentication enabled.
The control many organisations consider their primary identity defence was being bypassed at scale.
The lesson is not that multi-factor authentication is ineffective, it is that attackers continue to evolve around the controls we deploy.
The disruption of Tycoon 2FA and LeakBase should be treated as an opportunity to review defensive controls, not relax them.
Session hijacking is central to adversary-in-the-middle phishing.
Controls such as conditional access policies, device compliance enforcement, shorter session lifetimes and monitoring for anomalous authentication behaviour significantly reduce the window of opportunity for attackers.
Many of these controls already exist within modern identity platforms but are often underutilised.
The operators who relied on Tycoon 2FA will migrate.
Security operations teams should expect new adversary-in-the-middle phishing frameworks to appear and should ensure phishing detection playbooks, identity monitoring and response processes are prepared for that shift.
Phishing infrastructure, credential markets and malware operations are closely linked.
Phishing campaigns steal credentials. Those credentials are sold through underground marketplaces. Access brokers and ransomware operators purchase that access and use it to move deeper into organisations.
Disrupting one node creates friction, but the ecosystem adapts.
For organisations running mature security monitoring programs, many of these controls are already becoming standard practice.
Across large managed detection and response environments, phishing and identity-based alerts remain one of the most consistent sources of security incidents. As a result, detection strategies increasingly focus on identity telemetry, session monitoring and credential exposure intelligence.
At Triskele Labs this includes:
An important part of this model is shared intelligence across the client base.
Threat intelligence derived from security investigations, digital forensics engagements and external intelligence sources is continuously fed back into detection rules, alert enrichment and analyst workflows. When a new phishing technique, infrastructure pattern or credential exposure trend is identified in one environment, that insight is quickly incorporated into monitoring across all environments.
This collective intelligence model allows detection capability to improve continuously as new threats are observed.
None of this should take away from the achievement.
Operations of this scale, involving coordinated action between law enforcement and private sector partners across multiple jurisdictions, demonstrate meaningful progress in the global fight against cybercrime.
The arrests, domain seizures and intelligence sharing send a clear message to the criminal ecosystem that the risks are increasing.
But organisations should not interpret these takedowns as a reduction in risk.
The ability for attackers to run sophisticated phishing campaigns that bypass traditional authentication controls should now be considered a baseline threat assumption when designing identity security strategies.
Celebrate the wins. Brief your leadership teams.
Then make sure your identity controls and detection capabilities assume that the next phishing platform is already operating somewhere else.
