THREAT actors have migrated to other phishing-as-a-service platforms after Tycoon 2FA’s disruption, with the tools being reused across new campaigns, according to Barracuda Networks. Active since at least 2023, Tycoon 2FA has been used to bypass two-factor authentication and compromise user accounts, and was responsible for attacks against half a million organisations.
Barracuda notes that last year Tycoon 2FA accounted for 62% of phishing attempts seen by Microsoft and held an 89% market share as the most used PhaaS platform. In March, a coordinated operation led to the seizure of 330 active Tycoon 2FA domains, yet the platform’s operations continued seemingly unaffected, and the ecosystem absorbed the hit.
The total number of attacks leveraging four kits rose from roughly 20 million to over 23 million, but Tycoon 2FA is no longer the leader, trailing behind Mamba and EvilProxy in Barracuda detections.