New York, March 5, 2026, 11:17 EST
- Coinbase reported it played a role in disrupting Tycoon 2FA, a phishing-as-a-service toolkit designed to get around multi-factor authentication protections.
- Microsoft reported seizing 330 domains linked to the campaign, while Cloudflare said it cleared out associated infrastructure.
- Coinbase stock slipped Thursday, with investors sizing up a recent crypto-stock rally while U.S. crypto legislation remains stuck in neutral.
Coinbase Global Inc (COIN.O) announced Wednesday it collaborated with Microsoft and several other partners to take down “Tycoon 2FA,” a phishing operation that sold stolen login credentials by subscription. According to the crypto exchange, it tracked crypto transactions tied to the service, which led to identifying a suspected administrator, reportedly based in Pakistan. 1
The timing isn’t lost on Coinbase. Phishing attacks still find their way into accounts—and then, inevitably, into complaints—even if users have enabled additional login protections.
Microsoft identified Tycoon 2FA as the source of tens of millions of scam emails each month, targeting over 500,000 organizations worldwide. By mid-2025, the company said, Tycoon 2FA was responsible for roughly 62% of all phishing attempts Microsoft intercepted. Acting on a court order from the U.S. District Court for the Southern District of New York, Microsoft seized 330 domains tied to the operation. “Taking this infrastructure offline cuts off a major pipeline for account takeovers,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said. 2
Cloudflare joined the operation, reporting that attackers exploited its Workers feature to execute malicious code and sometimes send visitors to harmless pages in a bid to duck detection. The company has banned thousands of domains and disabled associated Worker scripts, targeting a scheme built around business email compromise — where scammers seize an email account to fool organizations into wiring funds to fraudulent accounts. 3
Microsoft security researchers say Tycoon pulled off an “adversary-in-the-middle” attack, placing themselves between targets and the legitimate site to intercept logins and swipe session cookies—those are the fleeting tokens that let people stay logged in. The phishing kit was hawked on messaging platforms, according to Microsoft, running at roughly $120 for 10 days or $350 for a month, though prices weren’t set in stone. 4
Still, yanking sites doesn’t stop phishing cold. The people behind these schemes adapt quickly, cycling through new domains and reusing their scripts. The fundamental problem remains: someone out there will click.
By 11:02 a.m. EST, Coinbase shares slipped 0.8% to $207.24.
Shares surged roughly 15% Wednesday, lifted by a bitcoin rally and renewed investor appetite for crypto-related stocks, according to the Financial Times. Robinhood Markets, known for its sizable retail trader following, gained around 8% during the session, the paper noted. 5
Bitcoin hovered near $74,000 on Thursday, marking its first climb back to that price point since early February, according to Investopedia. Even so, Sean Farrell, who leads digital asset strategy at Fundstrat, wasn’t ready to call it a lasting move. “This is likely a rally to rent rather than own,” he told clients in a note. 6
Coinbase is still pressing for clear rules from Washington, saying it needs regulatory certainty to operate smoothly. The Clarity Act, which aims to define when a crypto token counts as a security or a commodity, has stalled once more. Banks refused to support a White House deal on stablecoin rewards, according to Reuters. Stablecoins—meant to track the dollar—are at the heart of this dispute over whether platforms can offer interest-style perks to users. Standard Chartered puts possible outflows at $500 billion from U.S. bank deposits by the end of 2028 if stablecoins keep gaining ground. 7
Back in January, Coinbase CEO Brian Armstrong played a role in stopping an earlier draft, arguing the company couldn’t back the proposal and cautioning it would limit stablecoin rewards. “We’d rather have no bill than a bad bill,” Armstrong said then. 8
Coinbase posted an unexpected loss last quarter, with trading activity down, Reuters said in February. Still, the company saw higher subscription and services revenue and gains in its stablecoin operations. Zacks Investment Research’s David Bartosiak called these areas “the company’s diversification and ‘shock absorbers’” against volatile crypto trading fees. 9
Rivals aren’t sitting on their hands while Congress deliberates. OKX snagged a $25 billion valuation after Intercontinental Exchange—the NYSE parent and an early Coinbase backer—grabbed a minority stake along with a board seat, according to Reuters. “There was a time window to get Clarity done. It’s looking more and more challenging as time goes by,” OKX Global Managing Partner Haider Rafique said to Reuters. 10
