The Tycoon2FA phishing-as-a-service platform, disrupted by Europol and partners through the seizure of 330 domains in early March 2026, has quickly resumed operations to pre-disruption levels. Despite the takedown, CrowdStrike observed a rapid recovery using largely unchanged tactics, highlighting that without arrests or physical seizures, cybercriminals can swiftly restore their infrastructure due to continued demand in the phishing ecosystem.
Tycoon2FA Phishing Platform Returns After Recent Police Disruption

