The once-dominant Tycoon 2FA phishing kit has lost its leading position in the cybercrime ecosystem following a major disruption, even as overall phishing activity continues to rise. According to cybersecurity firm Barracuda Networks, threat actors are increasingly shifting to alternative phishing-as-a-service (PhaaS) platforms while continuing to reuse tools and techniques originally developed by Tycoon 2FA.
Tycoon 2FA, active since at least 2023, had gained widespread adoption due to its ability to bypass two-factor authentication and compromise user accounts through adversary-in-the-middle techniques. At its peak, the platform accounted for 89% of the phishing-as-a-service market and was responsible for 62% of phishing attempts detected by Microsoft, targeting nearly half a million organizations globally.
In early March 2026, a coordinated law enforcement operation led to the seizure of 330 domains associated with the platform, disrupting its infrastructure. While the takedown significantly impacted Tycoon 2FA’s visibility and operations, it did not eliminate the broader threat. Instead, attackers adapted quickly, migrating to competing platforms such as Mamba 2FA, EvilProxy, and Sneaky 2FA.
Following this shift, the total number of phishing attacks using these platforms has increased from roughly 20 million to over 23 million, indicating that the disruption redistributed activity rather than reducing it. Tycoon 2FA is no longer the leading tool, now trailing behind competitors that have expanded their capabilities using components and infrastructure derived from the original platform.
Security researchers emphasize that the continued spread of Tycoon 2FA’s code highlights the resilience of the cybercrime ecosystem. Variants of its attack tools remain active through independent affiliates, cloned versions, and decentralized deployments. This evolution mirrors open-source development models, where malicious code is reused, modified, and redeployed across multiple platforms, making detection and mitigation increasingly challenging.
The development underscores a broader shift in cybersecurity threats, where dismantling a single platform is no longer sufficient to curb attacks. As phishing kits become more modular and widely distributed, experts stress the need for organizations to adopt comprehensive security strategies that focus on behavioral detection, user awareness, and phishing-resistant authentication methods rather than relying solely on targeting individual threat actors.
