Law enforcement disrupts Tycoon 2FA phishing-as-a-service platform.

Summary

By the N2K CyberWire staff

Law enforcement disrupts Tycoon 2FA phishing-as-a-service platform.

A Europol-coordinated law enforcement operation shuttered 330 domains used by the popular phishing-as-a-service platform Tycoon 2FA, dismantling the core infrastructure of the criminal service. Microsoft used a court order to seize the domains with support from private-sector partners, while the seizure of infrastructure was carried out by law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom. Tycoon 2FA grew to be one of the largest phishing services in the world after it emerged in 2023, accounting for 62% of all phishing attacks observed by Microsoft in mid-2025.

In addition to law enforcement entities, Microsoft credits Proofpoint, Intel 471, eSentire, SpyCloud, Cloudflare, Health‑ISAC, Resecurity, Trend Micro, Coinbase, and the Shadowserver Foundation for their contributions to the takedown.

From AI Ambition to Secure Agents at Scale

Join Glean’s virtual Security Showcase on March 12 to receive a new security framework for AI agents, hear a candid CIO–CISO conversation on real-world risk decisions, and see new controls for data protection, agent guardrails, and private‑by‑design deployment. Register to walk away with a practical blueprint for deploying secure, governed AI agents at scale. Register now.

FBI and Europol seize Leakbase cybercriminal forum.

A separate law enforcement operation carried out by the US FBI and European law enforcement agencies shut down the Leakbase cybercriminal forum, the Record reports. The US Justice Department stated, "On March 3 and 4, law enforcement agents and officers in 14 countries including the United States took synchronized actions against LeakBase and its users in a coordinated effort hosted by Europol in The Hague. Specifically, the United States and other countries shut down LeakBase, seized its data and two of the domains used by the forum, posted seizure banners on the LeakBase sites, sent prevention messages to LeakBase members, and collected additional evidence. Law enforcement also executed search warrants, arrests, and conducted interviews in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom."

The operation resulted in thirteen arrests. Brett Leatherman, assistant director of the FBI's cyber division, said in an interview, "We expect that these actors who've been arrested will potentially have information or evidence that would help us move upstream against other actors."

Vellox Reverser: Defeat malware in minutes

Vellox Reverser is an autonomous malware reverse engineering and threat intelligence product from Booz Allen. It delivers deep technical analysis and actionable insights in minutes, enabling teams to neutralize threats at scale, reduce organizational risk, and outpace evolving adversaries. Reverse the unknown, fast. Request a demo or start your 30-day free trial and experience cybersecurity at machine speed.

Cisco warns of fresh Catalyst SD-WAN exploits.

Cisco warns that threat actors are exploiting two recently patched Catalyst SD-WAN vulnerabilities (CVE-2026-20128 and CVE-2026-20122), SecurityWeek reports. CVE-2026-20128 is a high-severity information disclosure issue that can allow an authenticated, local attacker to obtain Data Collection Agent (DCA) user privileges on a vulnerable system. CVE-2026-20122 is a medium-severity flaw that can enable an authenticated, remote attacker to overwrite arbitrary files on the local file system. SecurityWeek notes that attackers are likely chaining the flaws with other vulnerabilities.

Cisco warned last week that a critical SD-WAN flaw (CVE-2026-20127) was being exploited as a zero-day; it's unclear if the new exploitation is part of the same attack campaign.

Vellox Reverser: Accelerate cyber defense at machine speed

Vellox Reverser is an autonomous malware reverse engineering and threat intelligence product from Booz Allen. It delivers deep insights and actionable countermeasures in minutes, dramatically accelerating response time to today’s most complex cyber threats. Fully automated. Built for speed. A true force multiplier for cyber defense. Request a demo or start your 30-day free trial and experience cybersecurity at machine speed.

Experience the Power of Community at RSAC 2026 Conference

RSAC™ 2026 Conference returns to San Francisco March 23–26, bringing together the global cybersecurity community for four days of expert insights, hands-on learning, and breakthrough innovation. Join thousands of practitioners, executives, and innovators as they tackle today’s toughest challenges and explore solutions shaping tomorrow. From cutting-edge ideas to immersive programs and vibrant networking, this is where meaningful progress happens. Register today and be part of the conversations driving cybersecurity forward.

Notes.

Today's issue includes events affecting Australia, Belgium, Latvia, Lithuania, Poland, Portugal, Romania, Spain, the United Kingdom, and the United States.

Security Patches, Mitigations, and Software Updates

Google Issues Emergency Chrome Update to Patch 10 Security Vulnerabilities (Cyber Security News) This update version 145.0.7632.159/160 for Windows and macOS, and 145.0.7632.159 for Linux addresses three critical and seven high-severity flaws.

Legislation, Policy, and Regulation

Defense tech companies are dropping Claude after Pentagon's Anthropic blacklist (CNBC) Anthropic customers that do business with the government are having to make the tough call on whether to abandon Claude.

Sen. Wyden Warns of Mass Surveillance Amid Pentagon's Fight With Anthropic (Gizmodo) "Creating AI profiles of Americans based on that data represents a chilling expansion of mass surveillance," said Wyden.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

RSAC 2026 (San Francisco, California, USA, Mar 23 - 26, 2026) Ideas become breakthroughs when shared. Challenges become opportunities when tackled together. That’s the Power of Community—a key focus for RSAC™ 2026 Conference. Real change happens when cybersecurity professionals unite.

Wicked6 Cyber Games (Virtual, Mar 27 - 29, 2026) The premier global event spotlighting WOMEN in Cyber and Tech through exciting, team-based cyber competitions, mentorship, and community engagement. Our virtual, global "Hack and Chat" inspires and empowers women in cybersecurity from over 40 countries across six continents and there's lots of excitement building behind this year's theme. Your investment will enable women from across the globe to meet, learn from each other, play cyber games together and compete in a quality Attack and Defend competition.

SO-CON 2026 (Arlington, Virginia, USA, Apr 13 - 14, 2026) SO-CON is the only conference dedicated to identity-based security and attack path management. The week begins with a two-day main conference packed with talks, research, and community exchange, followed by four days of deep-dive, hands-on trainings led by adversary-experienced practitioners. Training to follow on April 15-18, 2026.

Space Symposium 2026 (Colorado Springs, Colorado, USA, Apr 13 - 16, 2026) Space Symposium is the premier event uniting global space professionals from all sectors, providing a unique platform to explore critical space issues, foster dialogue, and drive innovation across the space industry.

Philadelphia Cybersecurity Summit (Philadelphia, PA, Apr 15, 2026) Maximize your networking opportunities by meeting with fellow industry executives and leading security experts at the upcoming 9th Annual Philadelphia Official Cybersecurity Summit on Wednesday, April 15, 2026. Secure your admission now! Use Code CSS26-CRA before February 18 for Free Admission.*

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 03.05.26

Top stories.

Law enforcement disrupts Tycoon 2FA phishing-as-a-service platform.

FBI and Europol seize Leakbase cybercriminal forum.

Cisco warns of fresh Catalyst SD-WAN exploits.

Notes.

Security Patches, Mitigations, and Software Updates

Legislation, Policy, and Regulation

Events