Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses

Security experts have issued a warning about the continued risk of Tycoon 2FA attacks, even after a law enforcement operation took down the phishing as a service (PhaaS) platform last month.

According to Barracuda, while attacks have since dropped by 77%, they still persist, with more than two million taking place each month.

Before the takedown, Tycoon 2FA was behind tens of millions of phishing messages, reaching over 500,000 organizations each month worldwide.

First spotted in August 2023, it used adversary in the middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time, leading to large-scale account compromise.

It was linked to more than 96,000 distinct phishing victims globally, including more than 55,000 Microsoft customers and around 5,350 in the UK, hitting sectors including education, healthcare, finance, and the public sector.

The takedown last month saw Microsoft seize 330 domains forming the core infrastructure of the criminal service, including phishing pages and control panels.

Yet Barracuda said its analysis shows the impact of the takedown has been largely restricted to Tycoon’s own brand name and visibility, along with a drop in the use of Tycoon-linked hosting and domain patterns.

"The ‘body’ of Tycoon: its tools and techniques, live on. They have migrated, been redistributed and diversified across competing platforms, or simply left where they are,” the company said in a blog post.

Pouncing on the Tycoon 2FA takedown

Notably, Barracuda found that other phishing kits have moved quickly to take Tycoon 2FA's place, with increased campaign activity involving the established platforms of Mamba 2FA and EvilProxy, as well as aggressive newcomers such as Sneaky 2FA and Whisper 2FA.

These kits have boosted their feature sets and infrastructure maturity, according to Barracuda, often leveraging tools formerly used by Tycoon 2FA.

"Tycoon 2FA was widely used by independent affiliates. This means that variants of Tycoon 2FA’s attack code that have been cloned or modified by individual adversaries continue circulating. It also means that independently hosted deployments remain active and that fragmented, low-volume campaigns persist," the firm said.

"For example, Barracuda recently detected a ‘device code’ phishing campaign that leveraged Tycoon’s stand-out features. Code similarities included Tycoon’s signature ‘noise’ of motivational style comments. In this incident, the comments all begin with the word ‘success’."

This campaign also featured Tycoon 2FA’s unique anti-analysis, anti-debugging and redirection capabilities.

Tycoon 2FA is still alive and kicking

Barracuda said the reasons for Tycoon 2FA’s persistence include the fact that attackers have reused and repurposed phishing code.

Meanwhile, attack domains remain active until expiry, backup hosting often evades immediate seizure, and some low-visibility phishing campaigns fall beneath alert thresholds.

Phishing frameworks have built-in redundancy, researchers noted, while the disruption of infrastructure doesn't necessarily revoke victim access.

Stolen session cookies may remain valid, OAuth abuse can enable extended cloud access, and organizations may remain compromised after the end of the phishing campaign.

"This does not mean the takedown operation failed. Rather, it shows what happens when disruption hits a maturing underground economy, and why security defenses need to look more broadly than individual players," said Barracuda.

"The Tycoon 2FA takedown accelerated ecosystem diversification. Defensive strategies therefore need to focus on models for identity-based attacks, session abuse and adversary economics. Tycoon 2FA as a branded service has declined, but the techniques it popularized are now more widely distributed than before."

Cyber crime whack-a-mole

Ross Kelly

Barracuda’s findings highlight a painful recurring theme for law enforcement agencies tackling cyber crime – these operations are very hard to kill outright.

While takedowns cripple infrastructure and hamper operations for a time, many groups simply dust themselves off and get back to it, and often in a far more aggressive way.

There have been repeated instances of cyber crime operations coming back from the dead in recent years despite hard crackdowns by industry stakeholders and law enforcement agencies.

Emotet ranks among the best examples of this. The botnet was used to facilitate an eye-watering volume of attacks over its lifespan before being taken down by a Europol-led operation in January 2021.

Less than a year later, however, the botnet was back up and running, with Analysis from November 2022 showing the cyber criminals behind the operation ramped up attacks to record levels.

Of course, that’s not to say law enforcement should just down tools and stop trying. The impact of these takedowns may have a limited shelf life, but they do provide a temporary reprieve for victims and deliver long-term benefits.

As ITPro reported in the wake of the RAMP hacking forum takedown last year, they enable law enforcement to gain vital intelligence on how these groups work and support other operations further down the line.

This cat and mouse game between hackers and law enforcement is as old as cyber crime itself, and shows no signs of slowing down.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.