Global Cybercrime Disruptions Target LeakBase And Tycoon2FA

A coordinated international law enforcement effort has delivered a significant blow to the cybercrime ecosystem. Authorities from the United States, Europe, and multiple partner nations recently dismantled the major hacker forum LeakBase. They also disrupted Tycoon2FA, one of the world's largest phishing-as-a-service platforms.

Together, these operations show how cybercriminal infrastructure relies on interconnected services. These services include underground marketplaces, phishing kits, and credential-harvesting tools. Investigators disrupted critical supply chains by targeting both a cybercrime marketplace and a large-scale phishing operation. These supply chains enable data theft, fraud, and initial access attacks.

The actions underscore the importance of international cooperation among law enforcement, governments, and private-sector security teams in disrupting cross-border cybercrime.

The LeakBase Takedown

The United States Department of Justice seized LeakBase, a prominent cybercrime forum for distributing stolen data and hacking resources. Investigators described the site as one of the largest hubs for cybercriminal activity operating on the open internet.
Investigators said LeakBase hosted a vast archive of breached databases, credential dumps, and illicit tools. Members used the forum to buy, sell, and trade compromised data, such as login credentials and financial records from prior cyberattacks.

Authorities revealed that the forum had grown rapidly since its launch in 2021. It accumulated more than 142,000 registered users and over 215,000 messages exchanged among members. Law enforcement agencies from 14 countries participated in the operation that led to the seizure of the forum. The investigation involved the FBI, Europol, and several international partners who worked together to identify administrators and collect evidence.

The operation resulted not only in the seizure of the forum's infrastructure. It also led to the capture of its internal data. Investigators now possess extensive information about user accounts, communications, and potential transactions linked to cybercrime activity.
Officials said the database could help authorities identify individuals who bought or sold stolen information through the platform.

A spokesperson from the Office of Public Affairs at the U.S. Department of Justice emphasized the significance of the operation, stating that authorities had dismantled "one of the world's largest hacker forums," highlighting the scale of the criminal marketplace.

The seizure also demonstrates how law enforcement agencies, in recent years, have infiltrated underground communities, gathered intelligence on participants, and ultimately seized infrastructure to identify suspects.

Disrupting the Tycoon2FA Phishing-as-a-Service Platform

While authorities targeted the cybercrime marketplace, a parallel operation disrupted a major phishing platform. This platform is known as Tycoon2FA.

Tycoon2FA operated as a phishing-as-a-service (PhaaS) platform. It allowed cybercriminals to launch sophisticated phishing campaigns without advanced technical expertise. Investigators linked the platform to large-scale credential harvesting campaigns that affected organizations worldwide.

The platform used adversary-in-the-middle (AiTM) techniques. These techniques intercepted login sessions and captured authentication tokens during sign-in. By collecting session cookies along with usernames and passwords, attackers could bypass multifactor authentication protections. This allowed them to gain persistent access to accounts.

The scale of the operation was considerable. By mid-2025, Tycoon2FA accounted for roughly 62% of the phishing attempts blocked by Microsoft. This demonstrates its widespread use among cybercriminals. Authorities linked the platform to tens of millions of phishing messages sent each month. Nearly 100,000 victims worldwide have been affected since 2023. Targets included organizations in healthcare, education, and government. Compromised credentials can grant attackers valuable access to sensitive systems.

The takedown of Tycoon2FA relied on collaboration between law enforcement agencies, including Europol, and private-sector cybersecurity teams within Microsoft's umbrella.

Investigators seized 330 domains used to host the platform's infrastructure. These included phishing pages and administrative control panels. The operation involved multiple organizations, such as Europol and industry partners. These partners helped identify infrastructure, analyze phishing campaigns, and coordinate legal actions to disrupt the service.

Europol highlighted the importance of collaboration in addressing the evolving cybercrime landscape. A spokesperson for Europol explained that coordinated international efforts could disrupt large-scale criminal services and reduce the threat of phishing-as-a-service platforms.

The takedown removed critical infrastructure used by cybercriminals. It significantly reduced attackers' ability to run phishing campaigns through the service. Tycoon2FA shows a growing trend in cybercrime: the commercialization of attack capabilities through subscription-based services.

Phishing-as-a-service platforms provide ready-to-use phishing kits. They offer hosting infrastructure and automated dashboards that help users launch attacks quickly. This model dramatically lowers the barrier to entry for cybercrime.

Typical features offered by these platforms include:

• Pre-built phishing templates that mimic trusted brands and login portals
• Real-time credential capture dashboards
• Automated hosting and infrastructure management

By simplifying complex techniques, these services allow even those with little technical skill to run advanced phishing campaigns.
This shift mirrors the broader "cybercrime-as-a-service" economy. In this economy, malware, exploit kits, and ransomware operations increasingly operate as commercial services.

Both the LeakBase and Tycoon2FA operations provide investigators with significant intelligence opportunities. The seizure of forums and phishing infrastructure often yields valuable datasets, including:

• User account information and aliases
• Internal communications between cybercriminals
• Payment records and cryptocurrency wallets

Such information can help authorities identify administrators, trace financial flows, and link individuals to other cybercrime operations. In previous investigations, similar intelligence has helped law enforcement agencies build cases against cybercriminal networks. They have also used it to pursue arrests across multiple jurisdictions.

Investigators believe data from LeakBase and Tycoon2FA may reveal connections among phishing operators, credential brokers, and ransomware groups. The dismantling of LeakBase and Tycoon2FA is a significant victory for law enforcement and cybersecurity defenders. However, experts acknowledge that the cybercrime ecosystem is resilient.

Historically, when authorities shut down major forums or services, new platforms often emerge. The shutdown of earlier hacker communities has repeatedly led to the rise of successor forums or alternative marketplaces. Despite this pattern, operations like these still deliver meaningful disruption.

Removing infrastructure forces cybercriminals to rebuild networks, migrate services, and reestablish trust among participants. These processes slow operations and create opportunities for further investigations. More importantly, the intelligence gathered during these takedowns can lead to long-term prosecutions and additional enforcement actions.