The Tycoon 2FA phishing-as-a-service (PhaaS) platform — once dominant in adversary-in-the-middle (AiTM) credential theft operations — has lost its top position following coordinated disruption by European authorities in early 2026. However, the disruption has not slowed the broader threat: researchers are observing a sharp surge in attacks as actors repurpose Tycoon 2FA's infrastructure, codebase, and techniques inside a new generation of phishing kits.
What Was Tycoon 2FA?
Tycoon 2FA emerged in late 2023 as a sophisticated PhaaS platform enabling low-skill attackers to run AiTM phishing campaigns that bypass multi-factor authentication (MFA). Campaigns targeted Microsoft 365 and Google Workspace users. The kit intercepted real-time session tokens, allowing attackers to hijack authenticated accounts even when MFA was enabled.
At its peak, Tycoon 2FA was used in thousands of campaigns per month and offered:
- Evasion of Cloudflare bot detection
- CAPTCHA-based filtering to block security crawlers
- Dynamic lure pages mimicking Microsoft, Google, and enterprise SSO portals
- Telegram-based administration dashboards for affiliates
Disruption and Spillover
Europol's Operation Coordinated Action (March 2026) targeted the infrastructure behind Tycoon 2FA, resulting in domain seizures and the takedown of backend servers hosting the kit. However, because the kit had already been widely distributed via underground forums, copies of the codebase continue to circulate.
Security researchers at multiple threat intelligence firms are now tracking at least six derivative phishing kits that incorporate Tycoon 2FA's proxy-relay architecture and evasion logic. These include:
- EvilProxy-NG: Updated fork with improved Microsoft Entra ID bypass
- StormPhish v3: Adds SMS-based OTP capture alongside session token theft
- AiTM-Pro: Sold on Russian-language forums for ~$200/month with custom branding
The core AiTM technique — using a real-time reverse proxy to relay credentials between victim and legitimate service — has become standardized across the PhaaS ecosystem.
Attack Volume Surge
According to SecurityWeek's threat reporting, phishing campaigns leveraging Tycoon 2FA derivatives have increased significantly post-disruption:
- Volume of AiTM-style phishing lures up 37% since the March 2026 takedown
- Microsoft 365 remains the most targeted platform (approximately 68% of campaigns)
- Canadian, UK, and US financial sector employees are primary targets
The irony of the situation is not lost on defenders: taking down the market leader has fragmented the ecosystem, creating more kits but also more variation, which complicates detection.
Detection Indicators
Security teams should look for these patterns associated with Tycoon 2FA derivative campaigns:
- Unusual session token reuse from unexpected IP geographies shortly after successful MFA
- HTTP/2-based reverse proxy traffic with consistent relay timing artifacts
- Cloudflare Pages / Workers used as initial phishing lure hosts
- HTML smuggling embedded in phishing email attachments
- Lure domains registered via NameSilo or Porkbun with patterns like
login-{org}-secure[.]com
Mitigation Recommendations
| Control | Effectiveness |
|---|---|
| Phishing-resistant MFA (FIDO2/passkeys) | Defeats AiTM session theft entirely |
| Conditional Access with device compliance | Limits post-auth token reuse from unknown devices |
| Microsoft Defender for Identity alerts | Detects impossible travel & token anomalies |
| Email link sandboxing (Safe Links) | Interrupts initial lure delivery |
| User training on MFA fatigue & proxy lures | Reduces initial click-through |
Organizations relying solely on TOTP or push-based MFA remain vulnerable to AiTM-style attacks regardless of which kit is used. The transition to passkeys or hardware security keys is the most effective long-term mitigation.
Outlook
The PhaaS ecosystem is proving resilient to single-point takedowns. As long as the underlying AiTM technique remains viable against TOTP and SMS-based MFA, derivative kits will continue to proliferate. Threat intelligence teams should treat Tycoon 2FA-style attacks as a persistent commodity threat category rather than a single tracked actor.