How Law Enforcement Dismantled Tycoon 2FA and LeakBase [Prime Cyber Insights]

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, [00:03] Announcer: Intelligence for Defenders, Leaders, and Decision Makers. [00:11] Aaron Cole: Welcome to the Briefing Room for Prime Cyber Insights. [00:15] Aaron Cole: Today is March 5, 2026. [00:17] Lauren Mitchell: Today, we are tracking a significant wave of law enforcement disruptions against the [00:23] Lauren Mitchell: credential harvesting ecosystem and a fundamental shift in how AI-driven attacks are scaling. [00:31] Aaron Cole: The lead story involves a major coordinated effort. [00:35] Aaron Cole: As reported by the Hacker News, [00:37] Aaron Cole: Europol led a coalition to dismantle Tycoon 2FA. [00:42] Aaron Cole: This Fishing as a Service Powerhouse emerged in August 2023 [00:47] Aaron Cole: and has since been linked to over 64,000 incidents. [00:52] Aaron Cole: The scale is staggering. [00:54] Aaron Cole: Microsoft blocked over 13 million associated emails [00:58] Aaron Cole: in October 2025 alone. [01:01] Lauren Mitchell: The technical sophistication of Tycoon 2FA made it particularly dangerous, Aaron. [01:07] Lauren Mitchell: It utilized adversary-in-the-middle techniques to intercept session cookies and MFA codes in real time. [01:13] Lauren Mitchell: This meant that even with multi-factor authentication enabled, attackers could gain persistence. [01:19] Lauren Mitchell: It targeted nearly 100,000 organizations specifically focusing on enterprise environments across healthcare and finance. [01:27] Aaron Cole: While that operation targeted the phishing infrastructure, the FBI and Europol were also active on the dark web. [01:35] Aaron Cole: They successfully seized the Leak Base Forum, a massive clearinghouse with over 142,000 members. [01:44] Aaron Cole: Lauren, this seizure banner indicates authorities have secured all user accounts, private messages, and IP logs for evidentiary purposes. [01:55] Lauren Mitchell: It is a critical point. [01:57] Lauren Mitchell: Dismantling the forum is one thing, but harvesting the data of its 37 most active users creates a long-tail risk for the criminal community. [02:08] Lauren Mitchell: We are seeing a direct hit on the Identities as a Service pipeline. [02:13] Lauren Mitchell: However, as the infrastructure falls, tactics are evolving. [02:18] Lauren Mitchell: We are now seeing the rise of what researchers call agentic attacks. [02:22] Aaron Cole: Exactly. [02:24] Aaron Cole: TechRadar Pro reports that threat actors, particularly from China and North Korea, are now weaponizing agentic AI. [02:32] Aaron Cole: This goes beyond chatbots writing phishing lures. [02:36] Aaron Cole: These are autonomous tool chains performing 80 to 90% of the attack life cycle, [02:41] Aaron Cole: from profiling targets to identifying vulnerabilities [02:45] Aaron Cole: and exploiting them with minimal human intervention. [02:48] Lauren Mitchell: It changes the math for defenders, Aaron. [02:51] Lauren Mitchell: If an AI agent can operate at thousands of requests per second, [02:56] Lauren Mitchell: the time between zero-day discovery and exploitation [02:59] Lauren Mitchell: shrinks to almost nothing. [03:01] Lauren Mitchell: We are also seeing this complexity hit standard protocols. [03:05] Lauren Mitchell: Attackers are abusing OAuths built-in error redirects, [03:09] Lauren Mitchell: sending victims to legitimate Microsoft or Google URLs [03:14] Lauren Mitchell: that then redirect the browser to a malicious landing page. [03:17] Aaron Cole: It is a clever use of trusted domains to bypass filters. [03:21] Aaron Cole: On the remediation side, Google has released its March 2026 Android Security Bulletin, [03:29] Aaron Cole: fixing 129 vulnerabilities. [03:32] Aaron Cole: This includes 10 critical flaws and a high-severity zero-day in a Qualcomm graphics component, [03:39] Aaron Cole: tracked as CVE 2026-21,385, which is already being exploited in the wild. [03:47] Lauren Mitchell: That Qualcomm bug affects 235 different chipsets, making the patch rollout a massive logistical challenge for OEMs. [03:56] Lauren Mitchell: And while we patch today's flaws, there is a growing focus on the future. [04:01] Lauren Mitchell: The harvest now decrypt later threat has moved post-quantum cryptography to the forefront. [04:07] Lauren Mitchell: Organizations are adopting hybrid models like MKLChem to protect data that must remain confidential for decades. [04:16] Aaron Cole: It is a lot to process, from dismantled phishing kits to quantum-safe transitions. [04:22] Aaron Cole: For practitioners, the priority remains clear. [04:25] Aaron Cole: Rotate sessions for any identity compromise and accelerate the Android patch cycle for high-risk users. [04:33] Aaron Cole: That concludes our briefing for today. [04:35] Lauren Mitchell: Thanks for joining us. [04:36] Aaron Cole: This has been Prime Cyber Insights from Neural Newscast. [04:40] Aaron Cole: For further technical analysis, visit pci.neuralnewscast.com. [04:46] Aaron Cole: Neural Newscast is AI-assisted, human-reviewed. [04:49] Aaron Cole: View our AI transparency policy at neuralnewscast.com. [04:54] Aaron Cole: Stay resilient. [04:55] Announcer: This has been Prime Cyber Insights on Neural Newscast. [04:59] Announcer: Intelligence for Defenders, Leaders, and Decision Makers. [05:02] Announcer: Neural Newscast uses artificial intelligence in content creation, with human editorial review prior to publication. [05:09] Announcer: While we strive for factual, unbiased reporting, AI-assisted content may occasionally contain errors. [05:16] Announcer: Verify critical information with trusted sources. [05:19] Announcer: Learn more at neuralnewscast.com.