Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing

THREAT INTELLIGENCE CYBERSECURITY OPERATIONS CYBER RISK VULNERABILITIES & THREATS NEWS Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow. Nate Nelson,Contributing Writer April 17, 2026 5 Min Read SOURCE: HARRY WEDZINGA VIA ALAMY STOCK PHOTO In the wake of a major takedown of phishing's biggest brand name, Tycoon 2FA, phishers worldwide have scattered. Some have stuck around, but many have moved to other phishing service providers, and some seem to be jumping on a fast-growing trend toward device code phishing. It would be shortchanging Tycoon 2FA to merely distinguish it as the world's premiere phishing-as-a-service (PhaaS) group. A year ago, it accounted for nearly 90% of all PhaaS activity everywhere, according to data from Barracuda. It essentially owned the PhaaS ecosystem. The ecosystem evolved, though, and earlier this year Barracuda attributed just less than half of the PhaaS market to Tycoon, with Mamba 2FA not far behind. Then a coordinated law enforcement takedown knocked out 330 of its active domains. It's still alive and kicking, but its output has dropped from more than 9 million attacks per month to just over 2 million. Related:How NIST's Cutback of CVE Handling Impacts Cyber Teams It would be incorrect, though, to infer from those figures that law enforcement caused an 80% drop in phishing activity. Whenever the feds clip major cybercrime rings, the threat actors involved don't just hang up their keyboards and find a job. They scatter. The way Tycoon 2FA associates seem to be scattering is particularly interesting, as it mirrors some much larger trends researchers are observing in the phishing threat landscape. PhaaS Power Politics When it comes to such a behemoth as Tycoon 2FA, "You can't expect one takedown to completely eliminate every aspect of these operations," says Merium Khalid, director of SOC offensive security with Barracuda's office of the chief technology officer (CTO). "The way you want to look at it is: They took down the operations, but the infrastructure, the tactics, the techniques, and the code behind everything is still there." While Tycoon has been licking its wounds, groups like EvilProxy and Sneaky 2FA have stepped into the power vacuum it's left behind. EvilProxy attacks per month rose from just under 3 million to just over 4 million around the time of the takedown, and Sneaky 2FA rose from under 700,000 to nearly 2 million. LOADING... The group that's benefited the most, though, is Tycoon's formerly largest competitor, Mamba 2FA. Mamba was responsible for nearly 8 million attacks per month before Tycoon was punched in the nose. Now it's churning out more than 15 million per month — a nearly 100% surge in mere weeks. Like immigrants to new countries, as the hackers have migrated from one phishing service provider to another, they've taken what they know with them. "The [Tycoon 2FA] tools and the code and the techniques are actually now in the hands of their competitors like Mamba and EvilProxy. So I think we're going to be seeing more sophisticated phishing-as-a-service attacks and techniques out there." Related:FINRA Launches Financial Intelligence Fusion Center to Combat Cybersecurity and Fraud Threats Device Code Phishing Surges Selena Larson, senior threat intelligence analyst at Proofpoint, saw it firsthand. "Just yesterday I was poking around at some of the device code phishing activity we're seeing," she recalls over a Zoom interview. In device code phishing, attackers trick victims into handing over access to their accounts using a service's legitimate new-device login flow. "One of the campaigns was using a PDF that had an artifact of a Tycoon URL. I was like, 'Wait a second, is this Tycoon 2FA and EvilTokens?' Potentially, this actor was just reusing PDFs that they had previously used for Tycoon credential phishing to do, now, EvilTokens device code account takeover." Barracuda came across another case of it. They observed a device code phishing campaign that incorporated one of Tycoon 2FA's most unique quirks: motivational-style comments that create noise in its source code. It's no surprise, judging by Proofpoint's latest data. By coincidence or causation, Tycoon 2FA's takedown has overlapped almost exactly with a steep rise in device code phishing. Related:Russia's 'Fancy Bear' APT Continues Its Global Onslaught Larson explains that though it's not new, device code phishing wasn't terribly common even late into last year. "Since November, December of 2025, it's been increasing moderately across the landscape, and over the last three to four weeks, in particular, it went from being still fairly uncommon to being quite commonly observed across the threat landscape. Even just within the last two weeks, we've gone from seeing a handful of easily identifiable device code phishing kits to having a lot more than that." It's not clear exactly how much of Tycoon's user base is moving toward device code, she acknowledges. "But it is, I think, indicative of the explosion of popularity for device code phishing, and these new types of phishing kits incorporating device code phishing into their kits as part of the package that they're selling." For Larson, it's only the next logical step in the history of phishing techniques. "It used to be years and years ago that threat actors would just go for your username and password. And so then multifactor authentication (MFA) was created to block that and disrupt those types of capabilities. So, OK, what do the threat actors do? Well, they make MFA phishing kits to grab the whole chain," she explains. "But now we're at this point where maybe more people are aware that MFA isn't necessarily the best," she adds, thanks to kits like Typhoon 2FA. "Now [the threat actors] are like: 'OK, what's another type of phishing that we could do? OAuth phishing and device code phishing, I think, are the natural progression of where threat actors are going to go." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why,where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE CISA: Pro-Russia Hacktivists Target US Critical Infrastructure by Elizabeth Montalbano, Contributing Writer DEC 10, 2025 THREAT INTELLIGENCE How Malware Authors Are Incorporating LLMs to Evade Detection by Robert Lemos, Contributing Writer NOV 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE