Security

Tycoon 2FA attacks drop 77% after takedown, finds Barracuda report

New research from Barracuda shows how disruption of the dominant phishing-as-a-service (PhaaS) platform Tycoon 2FA accelerated change in the phishing ecosystem. The findings shows how other players quickly moved in to seize Tycoon’s market share, redistributed and revised its tools, techniques and capabilities — and how some things, including smaller campaigns, didn’t change at all.

Tycoon 2FA was severely disrupted in early March by an international law enforcement operation. Before the takedown, Tycoon 2FA accounted for over 9 million phishing attacks per month on average, with Mamba 2FA in second place with around 8 million and EvilProxy in third with almost 3 million. Sneaky 2FA accounted for nearly 700 thousand attacks.

Following the takedown, Mamba 2FA became the dominant phishing platform, doubling to 15 million attacks per month. EvilProxy increased to around 4 million attacks, while Sneaky 2FA tripled to nearly 2 million. Tycoon 2FA activity fell by 77%, but still accounted for more than 2 million attacks.

How Tycoon 2FA lives on

According to Barracuda threat analysts, the continued existence of Tycoon 2FA is due to several factors.

1. Not everything was dismantled in the takedown

For example, variants of Tycoon 2FA’s attack code that have been cloned or modified by individual adversaries continue to circulate. Independently hosted deployments remain active, and fragmented, low-volume campaigns persist.

2. Attackers reuse and repurpose phishing code

PhaaS toolsets increasingly resemble open-source development environments. Code is reused, modified and redeployed, and features migrate from one phishing kit to another.

3. Residual infrastructure

Elements of the attack infrastructure can persist. For example, attack domains remain active until expiry; backup hosting often evades immediate seizure; and low-visibility phishing campaigns keep going if they fall beneath alert thresholds. These residual campaigns can quietly outlive initial response efforts.

4. Phishing frameworks have built-in redundancy

Modern phishing frameworks often include measures to help them recover from disruption. Examples of this include failover infrastructure to ensure operational continuity for in-flight campaigns, workflows for rapid redeployment following disruption, and compatibility with other phishing kits.

5. Persistent access

The disruption of infrastructure does not automatically revoke victim access. Stolen session cookies may remain valid, OAuth abuse can enable extended cloud access, and organizations may remain compromised after the end of the phishing campaign.

“Phishing threats don’t end cleanly,” said Saravanan Mohankumar, Manager, Threat Analysis Team at Barracuda. “Attack patterns migrate rather than disappear, and tools inherit and refine proven techniques. The capabilities popularised by Tycoon 2FA are now embedded across a wider set of platforms, and we’ve already seen them deployed successfully in device code attacks. Detections tied to individual kits become obsolete quickly. For true resilience, defensive strategies need to focus on broad models of identity-based attacks and session abuse.”