Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
Security experts have issued a warning about the continued risk of Tycoon 2FA attacks, even after a law enforcement operation took down the phishing as a service (PhaaS) platform last month.
According to Barracuda, while attacks have since dropped by 77%, they still persist, with more than two million taking place each month.
Before the takedown, Tycoon 2FA was behind tens of millions of phishing messages, reaching over 500,000 organizations each month worldwide.
First spotted in August 2023, it used adversary in the middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time, leading to large-scale account compromise.
It was linked to more than 96,000 distinct phishing victims globally, including more than 55,000 Microsoft customers and around 5,350 in the UK, hitting sectors including education, healthcare, finance, and the public sector.
The takedown last month saw Microsoft seize 330 domains forming the core infrastructure of the criminal service, including phishing pages and control panels.
Yet Barracuda said its analysis shows the impact of the takedown has been largely restricted to Tycoon’s own brand name and visibility, along with a drop in the use of Tycoon-linked hosting and domain patterns.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"The ‘body’ of Tycoon: its tools and techniques, live on. They have migrated, been redistributed and diversified across competing platforms, or simply left where they are,” the company said in a blog post.
Pouncing on the Tycoon 2FA takedown
Notably, Barracuda found that other phishing kits have moved quickly to take Tycoon 2FA's place, with increased campaign activity involving the established platforms of Mamba 2FA and EvilProxy, as well as aggressive newcomers such as Sneaky 2FA and Whisper 2FA.
These kits have boosted their feature sets and infrastructure maturity, according to Barracuda, often leveraging tools formerly used by Tycoon 2FA.
"Tycoon 2FA was widely used by independent affiliates. This means that variants of Tycoon 2FA’s attack code that have been cloned or modified by individual adversaries continue circulating. It also means that independently hosted deployments remain active and that fragmented, low-volume campaigns persist," the firm said.
"For example, Barracuda recently detected a ‘device code’ phishing campaign that leveraged Tycoon’s stand-out features. Code similarities included Tycoon’s signature ‘noise’ of motivational style comments. In this incident, the comments all begin with the word ‘success’."
This campaign also featured Tycoon 2FA’s unique anti-analysis, anti-debugging and redirection capabilities.
Tycoon 2FA is still alive and kicking
Barracuda said the reasons for Tycoon 2FA’s persistence include the fact that attackers have reused and repurposed phishing code.
Meanwhile, attack domains remain active until expiry, backup hosting often evades immediate seizure, and some low-visibility phishing campaigns fall beneath alert thresholds.
Phishing frameworks have built-in redundancy, researchers noted, while the disruption of infrastructure doesn't necessarily revoke victim access.
Stolen session cookies may remain valid, OAuth abuse can enable extended cloud access, and organizations may remain compromised after the end of the phishing campaign.
"This does not mean the takedown operation failed. Rather, it shows what happens when disruption hits a maturing underground economy, and why security defenses need to look more broadly than individual players," said Barracuda.
"The Tycoon 2FA takedown accelerated ecosystem diversification. Defensive strategies therefore need to focus on models for identity-based attacks, session abuse and adversary economics. Tycoon 2FA as a branded service has declined, but the techniques it popularized are now more widely distributed than before."
Cyber crime whack-a-mole

Barracuda’s findings highlight a painful recurring theme for law enforcement agencies tackling cyber crime – these operations are very hard to kill outright.
While takedowns cripple infrastructure and hamper operations for a time, many groups simply dust themselves off and get back to it, and often in a far more aggressive way.
There have been repeated instances of cyber crime operations coming back from the dead in recent years despite hard crackdowns by industry stakeholders and law enforcement agencies.
Emotet ranks among the best examples of this. The botnet was used to facilitate an eye-watering volume of attacks over its lifespan before being taken down by a Europol-led operation in January 2021.
Less than a year later, however, the botnet was back up and running, with Analysis from November 2022 showing the cyber criminals behind the operation ramped up attacks to record levels.
Of course, that’s not to say law enforcement should just down tools and stop trying. The impact of these takedowns may have a limited shelf life, but they do provide a temporary reprieve for victims and deliver long-term benefits.
As ITPro reported in the wake of the RAMP hacking forum takedown last year, they enable law enforcement to gain vital intelligence on how these groups work and support other operations further down the line.
This cat and mouse game between hackers and law enforcement is as old as cyber crime itself, and shows no signs of slowing down.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
- Ross KellyNews and Analysis Editor
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
Multi-channel phishing attacks: How to manage the riskIn-depth Attackers are evolving beyond email towards phishing across multiple channels. Why is this, and what can be done to manage the risk?
-
‘The risk to every organization has increased exponentially’: The FortiBleed campaign just took a turn for the worseNews Reports suggest that FortiBleed-linked exposed credentials could put UK government and public services at huge risk
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
US offers $10m bounty for info on Russia-linked hackers behind Signal and WhatsApp attacksNews UNC5792 and UNC4221 have been targeting government officials through their Signal and WhatsApp accounts
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’News Around 10 million people are believed to have been affected by the TfL cyber attack
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware