Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks

Threat actors have migrated to other phishing-as-a-service (PhaaS) platforms after Tycoon 2FA’s disruption and are reusing its tools, cybersecurity firm Barracuda Networks says. Active since at least 2023, Tycoon 2FA allows threat actors to launch phishing attacks, bypass two-factor authentication, and compromise user accounts. It has been used in attacks against half a million organizations. Last year, Tycoon 2FA accounted for 62% of the phishing attempts seen by Microsoft, and was the most used PhaaS platform, with 89% market share, Barracuda says. In early March, a coordinated effort resulted in the seizure of 330 active Tycoon 2FA domains, but the platform’s operations continued seemingly unaffected. According to the fresh Barracuda report, despite the rebound, Tycoon 2FA lost the PhaaS crown, as threat actors have migrated to other platforms, such as Mamba 2FA, EvilProxy, and Sneaky 2FA. The overall number of attacks leveraging these four phishing kits has increased following the disruption, from roughly 20 million to over 23 million, but Tycoon is no longer the leader as it was prior to the law enforcement operation. It’s now well behind Mamba and EvilProxy based on Barracuda detections. Tycoon 2FA, Barracuda says, absorbed the hit, the underlying ecosystem lived on, and other phishing kits have matured their infrastructure and expanded their offerings with tools previously used by the disrupted service. “Tycoon 2FA was widely used by independent affiliates. This means that variants of Tycoon 2FA’s attack code that have been cloned or modified by individual adversaries continue circulating. It also means that independently hosted deployments remain active and that fragmented, low-volume campaigns persist,” Barracuda notes. According to the cybersecurity firm, PhaaS toolsets are increasingly similar to open source software, where threat actors reuse, modify, and redeploy the code. Combined with residual infrastructure, built-in redundancy to survive disruptions, and persistent access to compromised environments, this makes phishing kits sturdier and more difficult to detect and tackle. According to Barracuda, these artifacts reflect an ecosystem diversification, where Tycoon 2FA is redistributed across more platforms rather than restored. “This does not mean the takedown operation failed. Rather, it shows what happens when disruption hits a maturing underground economy, and why security defenses need to look more broadly than individual players,” Barracuda notes. Related: 53 DDoS Domains Taken Down by Law Enforcement Related: US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites Related: SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown Related: 1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cursor AI Vulnerability Exposed Developer Devices 53 DDoS Domains Taken Down by Law Enforcement Artemis Emerges From Stealth With $70 Million in Funding Splunk Enterprise Update Patches Code Execution Vulnerability NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software Cisco Patches Critical Vulnerabilities in Webex, ISE Ransomware Hits Automotive Data Expert Autovista Capsule Security Emerges From Stealth With $7 Million in Funding Latest News White House Chief of Staff to Meet With Anthropic CEO Over Its New AI Technology CoChat Launches AI Collaboration Platform to Combat Shadow AI In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested Another DraftKings Hacker Sentenced to Prison Lawmakers Gathered Quietly to Talk About AI. Angst and Fears of ‘Destruction’ Followed Recent Apache ActiveMQ Vulnerability Exploited in the Wild Two North Korean IT Worker Scheme Facilitators Jailed in the US ZionSiphon Malware Targets ICS in Water Facilities Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email