In the wake of a major takedown of phishing’s biggest brand name, Tycoon 2FA, phishers worldwide have scattered. Some have stuck around, but many have moved to other phishing service providers, and some seem to be jumping on a fast-growing trend toward device code phishing.
It would be shortchanging Tycoon 2FA to merely distinguish it as the world’s premiere phishing-as-a-service (PhaaS) group. A year ago, it accounted for nearly 90% of all PhaaS activity everywhere, according to data from Barracuda. It essentially owned the PhaaS ecosystem.
The ecosystem evolved, though, and earlier this year Barracuda attributed just less than half of the PhaaS market to Tycoon, with Mamba 2FA not far behind. Then a coordinated law enforcement takedown knocked out 330 of its active domains. It’s still alive and kicking, but its output has dropped from more than 9 million attacks per month to just over 2 million.
It would be incorrect, though, to infer from those figures that law enforcement caused an 80% drop in phishing activity. Whenever the feds clip major cybercrime rings, the threat actors involved don’t just hang up their keyboards and find a job. They scatter. The way Tycoon 2FA associates seem to be scattering is particularly interesting, as it mirrors some much larger trends researchers are observing in the phishing threat landscape.
PhaaS Power Politics
When it comes to such a behemoth as Tycoon 2FA, “You can’t expect one takedown to completely eliminate every aspect of these operations,” says Merium Khalid, director of SOC offensive security with Barracuda’s office of the chief technology officer (CTO). “The way you want to look at it is: They took down the operations, but the infrastructure, the tactics, the techniques, and the code behind everything is still there.”
While Tycoon has been licking its wounds, groups like EvilProxy and Sneaky 2FA have stepped into the power vacuum it’s left behind. EvilProxy attacks per month rose from just under 3 million to just over 4 million around the time of the takedown, and Sneaky 2FA rose from under 700,000 to nearly 2 million.
The group that’s benefited the most, though, is Tycoon’s formerly largest competitor, Mamba 2FA. Mamba was responsible for nearly 8 million attacks per month before Tycoon was punched in the nose. Now it’s churning out more than 15 million per month — a nearly 100% surge in mere weeks.
Like immigrants to new countries, as the hackers have migrated from one phishing service provider to another, they’ve taken what they know with them. “The [Tycoon 2FA] tools and the code and the techniques are actually now in the hands of their competitors like Mamba and EvilProxy. So I think we’re going to be seeing more sophisticated phishing-as-a-service attacks and techniques out there.”
Device Code Phishing Surges
Selena Larson, senior threat intelligence analyst at Proofpoint, saw it firsthand.
“Just yesterday I was poking around at some of the device code phishing activity we’re seeing,” she recalls over a Zoom interview. In device code phishing, attackers trick victims into handing over access to their accounts using a service’s legitimate new-device login flow. “One of the campaigns was using a PDF that had an artifact of a Tycoon URL. I was like, ‘Wait a second, is this Tycoon 2FA and EvilTokens?’ Potentially, this actor was just reusing PDFs that they had previously used for Tycoon credential phishing to do, now, EvilTokens device code account takeover.”
Barracuda came across another case of it. They observed a device code phishing campaign that incorporated one of Tycoon 2FA’s most unique quirks: motivational-style comments that create noise in its source code.
It’s no surprise, judging by Proofpoint’s latest data. By coincidence or causation, Tycoon 2FA’s takedown has overlapped almost exactly with a steep rise in device code phishing.
Larson explains that though it’s not new, device code phishing wasn’t terribly common even late into last year. “Since November, December of 2025, it’s been increasing moderately across the landscape, and over the last three to four weeks, in particular, it went from being still fairly uncommon to being quite commonly observed across the threat landscape. Even just within the last two weeks, we’ve gone from seeing a handful of easily identifiable device code phishing kits to having a lot more than that.”
It’s not clear exactly how much of Tycoon’s user base is moving toward device code, she acknowledges. “But it is, I think, indicative of the explosion of popularity for device code phishing, and these new types of phishing kits incorporating device code phishing into their kits as part of the package that they’re selling.”
For Larson, it’s only the next logical step in the history of phishing techniques. “It used to be years and years ago that threat actors would just go for your username and password. And so then multifactor authentication (MFA) was created to block that and disrupt those types of capabilities. So, OK, what do the threat actors do? Well, they make MFA phishing kits to grab the whole chain,” she explains.
“But now we’re at this point where maybe more people are aware that MFA isn’t necessarily the best,” she adds, thanks to kits like Typhoon 2FA. “Now [the threat actors] are like: ‘OK, what’s another type of phishing that we could do? OAuth phishing and device code phishing, I think, are the natural progression of where threat actors are going to go.”
Don’t miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here’s Why,where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
