my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Tycoon2FA Is Back. It Never Really Left.

John Z Black Mar 24, 2026 Ransomware & Cybercrime #Tycoon2FA #phishing-as-a-service #PhaaS #MFA bypass #Europol #CrowdStrike

On March 4, Europol announced it disrupted Tycoon2FA, a phishing-as-a-service platform built to bypass multi-factor authentication. Eleven security firms across six countries contributed. Microsoft’s Digital Crimes Unit was involved. The operation was real.

Also on March 4, Tycoon2FA started recovering. Same day. By March 23, it was back to early 2026 activity levels. Nineteen days to full recovery. And nobody was arrested.

Here’s the problem with taking down servers and walking away: the people who ran the servers are still out there.

Tycoon2FA is a product with customers. Affiliates pay to use the kit. The platform provides infrastructure, phishing pages, and MFA-bypass tooling. Taking down the infrastructure is like burning down a franchise location. The franchisees find another location. The franchisor starts rebuilding. That’s by design – these platforms are built for resilience because resilience is a selling point.

No arrests means no disruption to the decision-makers. The operators who built Tycoon2FA kept rebuilding because that’s exactly what their architecture allows.

The core MFA bypass capability never went anywhere. These are adversary-in-the-middle attacks that intercept TOTP codes and push-based MFA in real time. If you’re relying on authenticator apps, that capability is currently active and available to paying customers. FIDO2 hardware keys are the honest answer – they bind authentication to the origin domain, so a phishing page can’t replay the credential even if it intercepts the session.

CrowdStrike also flagged “Salty2FA” landing pages emerging after the disruption. Could be a rebrand, could be a parallel operation filling the gap. Either way, it’s the same playbook. We’ve seen this after LabHost in 2024 and Genesis Market in 2023. Criminal markets don’t tolerate vacuums.

Don’t wait for law enforcement to solve this. Phishing-as-a-service is a product category now. You don’t make a product category go away by shutting down one vendor for nineteen days.

Why the Tycoon2FA takedown failed to stick, what MFA-bypass phishing-as-a-service actually looks like in practice, and the authentication controls that would actually stop it.