What happened
A law enforcement operation in early March seized 330 active Tycoon 2FA domains, but the disruption did not shut down the broader phishing-as-a-service ecosystem it supported. According to Barracuda Networks, Tycoon 2FA had previously accounted for 62% of phishing attempts observed by Microsoft and held an 89% market share among PhaaS platforms, having been used in attacks against half a million organizations since at least 2023. Following the seizure, threat actors migrated to competing platforms including Mamba 2FA, EvilProxy, and Sneaky 2FA, while Tycoon 2FA’s own attack code continued circulating through independent affiliates who cloned or modified it for their own deployments. The total volume of attacks across all four platforms increased after the disruption, rising from roughly 20 million to over 23 million, with Mamba 2FA and EvilProxy now leading in detections. Barracuda describes the PhaaS ecosystem as increasingly resembling open source software, where attack code is reused, modified, and redeployed across multiple platforms, making individual takedowns insufficient to neutralize the broader threat.
Who is affected
Any organization whose users authenticate via Microsoft 365 or similar platforms is exposed, given Tycoon 2FA’s documented history of bypassing two-factor authentication at scale. The migration of affiliates to Mamba 2FA, EvilProxy, and Sneaky 2FA means the attack surface has broadened rather than contracted following the law enforcement action.
Why CISOs should care
The Tycoon 2FA disruption is a clear illustration that takedowns of individual PhaaS platforms do not eliminate the underlying threat. The affiliate model means attack tooling survives and disperses rather than disappears, and the overall attack volume actually increased after the seizure. For security leaders, this means defenses calibrated to specific platforms or indicators tied to Tycoon 2FA alone are now insufficient, as the same capabilities have redistributed across a maturing underground ecosystem.
3 practical actions
- Broaden phishing detection beyond known platform signatures: Update detection rules and threat intelligence feeds to cover Mamba 2FA, EvilProxy, and Sneaky 2FA, which have absorbed Tycoon 2FA’s affiliate base and are now the leading PhaaS platforms by volume.
- Reassess MFA bypass risk: Review whether current authentication controls are capable of detecting or blocking adversary-in-the-middle phishing techniques used by these platforms to intercept session tokens and bypass two-factor authentication.
- Treat PhaaS tooling as persistent infrastructure: Assume that independently hosted deployments and cloned variants of disrupted phishing kits remain active in your threat environment and adjust monitoring accordingly rather than treating the law enforcement action as a resolution.
For more news about credential-stealing malware and malicious campaigns, click Malware to read more.