Threat actors have migrated to other phishing-as-a-service (PhaaS) platforms after Tycoon 2FA’s disruption and are reusing its tools, cybersecurity firm Barracuda Networks says.
Active since at least 2023, Tycoon 2FA allows threat actors to launch phishing attacks, bypass two-factor authentication, and compromise user accounts. It has been used in attacks against half a million organizations.
Last year, Tycoon 2FA accounted for 62% of the phishing attempts seen by Microsoft, and was the most used PhaaS platform, with 89% market share, Barracuda says.
In early March, a coordinated effort resulted in the seizure of 330 active Tycoon 2FA domains, but the platform’s operations continued seemingly unaffected.
According to the fresh Barracuda report, despite the rebound, Tycoon 2FA lost the PhaaS crown, as threat actors have migrated to other platforms, such as Mamba 2FA, EvilProxy, and Sneaky 2FA.
The overall number of attacks leveraging these four phishing kits has increased following the disruption, from roughly 20 million to over 23 million, but Tycoon is no longer the leader as it was prior to the law enforcement operation. It’s now well behind Mamba and EvilProxy based on Barracuda detections.
Tycoon 2FA, Barracuda says, absorbed the hit, the underlying ecosystem lived on, and other phishing kits have matured their infrastructure and expanded their offerings with tools previously used by the disrupted service.
“Tycoon 2FA was widely used by independent affiliates. This means that variants of Tycoon 2FA’s attack code that have been cloned or modified by individual adversaries continue circulating. It also means that independently hosted deployments remain active and that fragmented, low-volume campaigns persist,” Barracuda notes.
According to the cybersecurity firm, PhaaS toolsets are increasingly similar to open source software, where threat actors reuse, modify, and redeploy the code.
Combined with residual infrastructure, built-in redundancy to survive disruptions, and persistent access to compromised environments, this makes phishing kits sturdier and more difficult to detect and tackle.
According to Barracuda, these artifacts reflect an ecosystem diversification, where Tycoon 2FA is redistributed across more platforms rather than restored.
“This does not mean the takedown operation failed. Rather, it shows what happens when disruption hits a maturing underground economy, and why security defenses need to look more broadly than individual players,” Barracuda notes.
Related: 53 DDoS Domains Taken Down by Law Enforcement
Related: US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites
Related: SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown
Related: 1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium
