Crypto exchange Coinbase teamed up with Microsoft and Europol to take down phishing-as-a-service platform Tycoon 2FA.

In a Wednesday announcement, Coinbase said that it helped trace blockchain-based transactions linked to the platform, and as a result, law enforcement was able to identify the phishing operation’s alleged administrator and several of its customers.

According to Europol, Tycoon 2FA sold a subscription-based toolkit that helped bad actors intercept live authentication sessions and gain unauthorised access to online accounts, “including those protected by additional security layers.”

Using Tycoon’s phishing toolkit, cybercriminals were able to capture session cookies from authenticated users and therefore access accounts without triggering the multi-factor authentication prompts, Coinbase said.

“We’re actively working to identify Tycoon purchasers and will continue supporting law enforcement efforts focused on the people who bought and used this service to target victims,” it added.

The platform has been active since at least 2023, and by mid-2025, Tycoon 2FA accounted for nearly 62% of all phishing attacks blocked by Microsoft, Europol said.

“At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorised access to nearly 100,000 organisations globally, including schools, hospitals, and public institutions,” it added.

Phishing attacks continue to threaten crypto users

As previously reported by crypto.news, losses from phishing attacks dropped 83% in 2025 when compared to the previous year. Nevertheless, attackers have continued to use more advanced techniques, including exploits tied to EIP-7702, Permit and Permit2 signatures, and transfer-based attacks.

A separate report from blockchain security firm CertiK flagged that Phishing attacks remained the third most costly attack vector in 2025.