Phishing as a service: the Tycoon 2FA boom and its fall in a global operation

The digital crime market is increasingly similar to a startup: there are subscription products, cloud control panels, support and updates. One of the most worrying examples of this criminal professionalization was Tycoon 2FA, a phishing kit offered as a service that for about two years facilitated massive attacks of the adverse-in-the-middle type (AiTM), capable of capturing both credentials and multifactor authentication codes and session cookies that allow an attacker to maintain access.

The authorities and several cybersecurity companies have announced a coordinated operation to dismantle the infrastructure of this service. According to Europol, the action has been taken with the elimination of around 330 domains that supported phishing pages and service control panels, which is a major blow to the operational capacity of the network. The official note can be read in the Europol.

Tycoon 2FA was not born as any kit. It was a commercial product based on subscriptions, with plans from a few hundred dollars for temporary access to monthly management panels where operators could design and manage complete campaigns. The panel offered templates, bait files, redirection logic and victim metrics; it also allowed to download what was captured or send it back in real time to messaging services such as Telegram. This offer makes the creation of sophisticated attacks even accessible to actors with little technical skill.

The figures that researchers handle illustrate the magnitude of the problem. Security companies like Proofpoint and Trend Micro have documented huge volumes of emails and campaigns attributed to the kit: millions of messages in a single month and tens of thousands of active domains. Microsoft, which tracked the operators under the alias Storm-1747, indicated that it blocked more than 13 million malicious emails related to this service. The number of related incidents and affected organizations points out that these were not isolated attacks, but an industrial-scale operation.

What made Tycoon 2FA so effective? Technically, it relied on the AiTM method: an intermediary between the victim and the legitimate service that intercepted information at the time of authentication. Thus, in addition to the password, MFA codes and session cookies were captured, allowing the attacker to take account even when the victim changed his password - unless sessions and tokens were explicitly revoked. Microsoft explains in more detail the operation of this technique in its analysis: Inside Tycoon2FA.

But it was not just the AiTM technique: the kit incorporated multiple escape mechanisms to make detection and takedown difficult. From monitoring of pulses, anti-bots and browser prints to self-hosted CAPTCHAs, opuscated JavaScript code and dynamic decoy pages. In addition, operators recorded extremely short-lived domains and used a wide mix of domain extensions to accommodate the infrastructure, taking advantage of services such as Cloudflare to protect those addresses. This rapid rotation strategy made the lock lists outdated in a few hours.

Another disturbing feature was the ease with which the attackers escalated their impact: Tycoon 2FA allowed the technique known as ATO Jumping, which is to use an already committed account to send phishing links to the victim's legitimate address book. The result is that the mail seems to come from a trusted contact and the possibility of deceiving a receiver grows significantly. Proofpoint discovers how this tactic multiplies the scope of the campaigns in its material about the operation: Disruption targets Tycoon 2FA.

The phenomenon of the packed phishing kits is not new, but Tycoon 2FA showed how much this offer can be professionalized and become a lucrative platform for fraud. Articles that analyze the phishing kits market explain that these packages are designed to be flexible and accessible, with functionalities ranging from basic to advanced tools that were previously only available to sophisticated groups. A good technical and market context is available in analysis such as Kaspersky Securelist and in specialized reports of intelligence companies such as Intel 471.

The consequences for organizations and users are direct and potentially devastating: corporate mail access resulting in leaks, deployment of ransomware or commitments of critical services in education, health or public administration. Proofpoint researchers shared alarming data on the prevalence of accountability attempts and the fact that many incidents affected accounts with activated MFA, which evidence that it is not enough to mark the double factor box if the attack vector is designed to intercept it.

The operation of removing domains and panels is an important victory, but it does not mean that the problem has disappeared. These platforms usually reappear under other brands, with improvements and tactics adapted to the previous blockages. Therefore, protection measures should be both technical and organizational: in addition to advanced mail and detection controls, it is crucial to review the way in which sessions and tokens are managed, to apply the revocation of access when there is a suspicion of commitment and to promote AiTM-resistant authentication factors, such as FIDO-based physical keys where possible.

For users and security officials, the lesson is twofold: awareness of attacks, especially when they appear to come from known contacts, remains an essential defense, and identity architecture must consider realistic interception scenarios. Additional resources and analysis on service disarticulation and AiTM threats are available in technical reports cited by organizations such as Trustwave, Trend Micro and Proofpoint.

In short, the blow to Tycoon 2FA shows that public-private cooperation can stop far-reaching criminal platforms, but also recalls that the adversary is rapidly evolving. Staying informed, reviewing session and authentication policies, and applying advanced protection solutions are essential steps not to convert an account committed to a major disaster.