In the wake of Tycoon 2FA’s disruption, cybercriminals have shifted to alternative phishing-as-a-service (PhaaS) platforms. Barracuda Networks, a cybersecurity firm, reports that tools from Tycoon 2FA are being repurposed by attackers seeking new avenues for their operations.
Rise and Fall of Tycoon 2FA
Since its inception in 2023, Tycoon 2FA has enabled threat actors to carry out phishing attacks that bypass two-factor authentication, compromising numerous user accounts. The platform was instrumental in attacks against approximately half a million organizations.
In the previous year, Tycoon 2FA was involved in 62% of phishing attempts identified by Microsoft and held an 89% share of the PhaaS market, according to Barracuda’s analysis.
Impact of Recent Crackdown
A concerted effort in early March led to the seizure of 330 active domains associated with Tycoon 2FA. Despite this, the platform’s operations appeared to remain largely unaffected initially.
Barracuda’s latest findings indicate that, although Tycoon 2FA has experienced a resurgence, it has lost its leading position as attackers move to other platforms like Mamba 2FA, EvilProxy, and Sneaky 2FA.
Growth of Alternative Platforms
Post-crackdown, the number of attacks utilizing these four phishing kits has grown from around 20 million to over 23 million. Tycoon 2FA, however, now trails behind Mamba and EvilProxy in Barracuda’s detection metrics.
Barracuda suggests that Tycoon 2FA managed to withstand the initial impact, but the broader ecosystem has adapted. New and existing phishing kits have enhanced their infrastructure, incorporating tools once exclusive to Tycoon 2FA.
Future Outlook on Phishing Ecosystem
The firm highlights that Tycoon 2FA was widely employed by independent affiliates, leading to the circulation of modified attack codes. These independently hosted deployments continue to operate, sustaining fragmented, low-volume phishing campaigns.
Barracuda points out that PhaaS toolsets increasingly resemble open-source software, allowing threat actors to recycle, alter, and redeploy code. This adaptability makes phishing kits more resilient and challenging to detect.
According to Barracuda, this situation exemplifies ecosystem diversification, with Tycoon 2FA’s capabilities distributed across various platforms rather than being fully reinstated. It underscores the need for security measures to address a broader range of threats beyond individual entities.
