On March 4th, the State Police Cybercrime Combating Department, together with Europol, foreign law enforcement agencies, and private sector partners, shut down the global phishing service platform Tycoon2FA, deactivating 330 domains that formed the basis of the criminal infrastructure.
In Latvia, the State Police launched criminal proceedings in connection with this criminal scheme in 2024 for large-scale fraud.
The investigation revealed that by compromising company email accounts, the criminals caused losses of more than €317,600.
Additional episodes are still being identified, and investigators continue to contact potential victim companies.
During the investigation, the State Police began cooperating with Europol.
Tycoon2FA had been operating since at least August 2023 and was one of the largest phishing operations in the world. The platform provided cybercriminals with a set of tools that allowed them to intercept online authentication sessions and secretly access email and cloud service accounts.
Using this access, criminals infiltrated companies’ commercial correspondence and, at the appropriate moment, changed the details on invoices or replaced invoices with forged ones, thereby diverting payments to their own accounts. Every month, tens of millions of phishing emails were distributed through the platform, giving attackers access to nearly 100,000 organisations worldwide, including schools, hospitals, and government agencies.
By mid-2025, approximately 62% of all phishing attempts blocked by Microsoft were linked to this platform.
The investigation, coordinated by Europol, began after Trend Micro shared information with the company. Microsoft and Trend Micro, in collaboration with law enforcement agencies under the Europol Cyber Intelligence Extension Programme, provided technical analysis and helped identify the platform’s infrastructure.
Law enforcement agencies worked closely with private sector partners, including Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, SpyCloud, and Trend Micro. International coordination was provided by the European Cybercrime Centre.
The State Police registers an average of 40 cases of compromised email accounts each year, with total losses amounting to around one million euros. In 2025, a total of 46 such criminal offences were registered, with losses amounting to 1,222,713 euros.
The State Police urges companies to pay special attention to email security, implement multi-factor authentication, regularly train employees on phishing risks, and carefully check changes to payment details, especially in cases where the information has been received via electronic communication.
Select text and press Ctrl+Enter to send a suggested correction to the editor
Select text and press Report a mistake to send a suggested correction to the editor
Tell us about a mistake