Global phishing-as-a-service platform taken down in coordinated public-private action

The action was carried out by law enforcement partners and private sector stakeholders working hand in hand, coordinated by Europol’s European Cybercrime Centre (EC3).

As part of the disruption, 330 domains forming the core infrastructure of the criminal service, including phishing pages and control panels, were taken down. The technical disruption was led by Microsoft with the support of a coalition of private partners, while seizure of infrastructure and other operational measures were carried out by law enforcement in Latvia, Lithuanian, Portugal, Poland, Spain, and the United Kingdom – all of this coordinated by Europol.

Platform enabled access to thousands of organisations

Active since at least August 2023, Tycoon 2FA was among the largest phishing operations worldwide.

It enabled thousands of cybercriminals to covertly access email and cloud-based service accounts. At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorised access to nearly 100 000 organisations globally, including schools, hospitals, and public institutions.

By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft.

Public-private partnership at the centre of the operation

The disruption was made possible through close cooperation between law enforcement and trusted industry partners.

The investigation began after intelligence was shared by Trend Micro. Europol disseminated this information through its EC3 Advisory Groups and operational networks, enabling a coordinated operational strategy to be developed. A number of Advisory Group members were subsequently brought into the investigation to support the disruption effort.

Through Europol’s Cyber Intelligence Extension Programme (CIEP), Microsoft and Trend Micro worked alongside law enforcement authorities, providing technical expertise and infrastructure analysis.

Europol acted as the central hub between private partners and investigators, ensuring intelligence was shared with affected countries and translated into coordinated operational action.

Participating partners

Law enforcement authorities

• Latvia: State Police
• Lithuania: Criminal Police Bureau
• Portugal: Judicial Police
• Poland: Central Cybercrime Bureau
• Spain: National Police and Guardia Civil
• United Kingdom: National Crime Agency

Private partners engaged through Europol

• Cloudflare
• Coinbase
• Intel471
• Microsoft
• Proofpoint
• Shadowserver Foundation
• SpyCloud
• Trend Micro

Europol’s Cyber Intelligence Extension Programme

The Cyber Intelligence Extension Programme (CIEP) strengthens public-private cooperation in tackling cybercrime by enabling private-sector partners to contribute actionable intelligence to support operational outcomes.

This Europol programme – a first of its kind – brings together experts from the private sector to work temporarily side by side in The Hague on specific projects with EC3 analysts and investigators.

Through this framework, Europol facilitates collaboration between industry and Member State authorities by:

• supporting cross-border disruption of criminal infrastructure;
• enabling operational deconfliction;
• ensuring timely intelligence sharing on emerging threats and criminal methods.

By deepening trusted public-private collaboration, the programme reinforces a collective approach that is essential to achieving disruption at scale and shaping the future response to cybercrime.