A global coalition led by Microsoft and Europol has dismantled the Tycoon 2FA phishing-as-a-service platform, a major criminal enterprise that enabled attackers to bypass multi-factor authentication and compromise nearly 100,000 organisations worldwide.
Jensen Huang's GTC 2026 reframed the AI race entirely: agentic AI, physical intelligence, orbital data centres and self-driving platforms have replaced benchmark wars. On the All-In podcast he tackled AI's PR crisis head-on. NVIDIA is building the infrastructure backbone of the next global economy.
Stryker is rebuilding after a cyberattack that wiped about 80,000 devices via a compromised Intune admin account, with up to 50TB of data reportedly exfiltrated. As US systems face similar probes, Australia is exposed, increasing pressure on boards to tighten cyber controls and readiness.
A global coalition led by Microsoft and Europol has dismantled the Tycoon 2FA phishing-as-a-service platform, a major criminal enterprise that enabled attackers to bypass multi-factor authentication and compromise nearly 100,000 organisations worldwide.
Cyber News Centre's cyber update for 23rd March 2026: A coordinated global operation has dismantled the prolific Tycoon 2FA phishing-as-a-service platform, which enabled thousands of cybercriminals to bypass multi-factor authentication and attack organisations across Australia and the world.
Update: A global law enforcement and private sector coalition, led by Microsoft and Europol and supported by partners including Coinbase, Cloudflare, Intel471, Proofpoint, Shadowserver and SpyCloud, has dismantled the infrastructure of Tycoon 2FA, one of the largest phishing-as-a-service operations worldwide. Acting under a court order from the U.S. District Court for the Southern District of New York, investigators seized roughly 330 active domains used for Tycoon 2FA control panels and phishing pages, disrupting a criminal ecosystem that had operated more than 24,000 domains since its launch. By mid‑2025, Tycoon 2FA was responsible for approximately 62% of all phishing attacks blocked by Microsoft, generating around 30 million malicious emails per month and reaching more than 500,000 organisations worldwide, with notable exposure across critical sectors such as healthcare, education and finance.
The service functioned as a transparent reverse proxy, enabling attackers to hijack authenticated sessions and persist access even after password changes, fuelling business email compromise, data theft and downstream ransomware campaigns. Microsoft and its partners have also identified the primary developer as Pakistan-based Saad Fridi and signalled that civil and criminal proceedings will continue as investigators pursue operators and high-value customers of the platform, which is estimated to have impacted tens of thousands of individual victims and nearly 100,000 organisations.
Why it Matters: The takedown of Tycoon 2FA shows the industrial scale of the credential theft economy and the limitations of traditional multi-factor authentication when deployed without phishing-resistant protections. For Australian organisations—especially in healthcare, education, financial services and government—this incident underlines that MFA alone is not a guarantee of account security when sophisticated AiTM tools can proxy logins and capture session tokens.
The platform’s success in compromising enterprise accounts highlights systemic risk to corporate data, supply chains and financial assets, where a single stolen session can be used for invoice fraud, payroll diversion and high-impact business email compromise. This operation reinforces the need for phishing-resistant authentication such as FIDO2 security keys, conditional access policies, device-based signals and continuous session monitoring, combined with an assume-breach approach to detection and response to contain intrusions even after initial access is gained.
As law enforcement and technology providers continue to disrupt major PhaaS platforms, organisations need to harden identity systems, reduce reliance on legacy MFA alone and prepare for the rapid emergence of successor services seeking to fill the gap left by Tycoon 2FA.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Stryker is rebuilding after a cyberattack that wiped about 80,000 devices via a compromised Intune admin account, with up to 50TB of data reportedly exfiltrated. As US systems face similar probes, Australia is exposed, increasing pressure on boards to tighten cyber controls and readiness.
Google has issued an emergency patch for a high-severity zero-day (CVE-2026-3910) in its V8 JavaScript engine, which is being actively exploited in the wild. The flaw allows arbitrary code execution, posing a significant risk to billions of Chrome users globally, including in Australia.
Singtel executives fronted a Senate inquiry, categorically denying explosive allegations that a secret ransom was paid to hackers following the massive 2022 Optus data breach that exposed personal information of 9.8 million Australians, amid ongoing inquiry into the telco's operational failures.
Joint advisory by Australian, New Zealand, and Tongan cyber authorities warns of rising INC Ransom attacks on critical infrastructure. The RaaS group has breached 11 Australian organisations, mainly in healthcare and professional services.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
