Coinbase, in collaboration with Microsoft and Europol, helped dismantle the phishing-as-a-service platform Tycoon 2FA, a subscription-based toolkit that allowed criminals to bypass multi-factor authentication (MFA) and access online accounts.
Key points:
- Investigation & Blockchain Tracing: Coinbase traced blockchain transactions tied to Tycoon 2FA, which enabled law enforcement to identify the platform’s alleged administrator and several users.
- Phishing Capabilities: Tycoon 2FA allowed cybercriminals to intercept live authentication sessions and steal session cookies, effectively circumventing MFA protections on targeted accounts.
- Scope & Impact: At its peak, the platform generated tens of millions of phishing emails per month, targeting nearly 100,000 organizations globally, including schools, hospitals, and public institutions. By mid-2025, it accounted for roughly 62% of phishing attacks blocked by Microsoft.
- Effect on Crypto Security: Phishing losses dropped by nearly 83% in 2025 compared with the previous year, though attackers continue to develop advanced techniques, including exploits tied to EIP-7702, Permit/Permit2 signatures, and transfer-based attacks.
Coinbase emphasized ongoing efforts to track Tycoon purchasers and support law enforcement in preventing further attacks, highlighting the continued importance of proactive collaboration between crypto firms and authorities to protect users.
