Post-Tycoon 2FA Takedown: Phishing Tactics Evolve and Spread

Severity: High (Score: 69.5)

Sources: Petri, Darkreading

Summary

Following the takedown of Tycoon 2FA by law enforcement in March 2026, phishing tactics associated with the service have proliferated among other cybercriminal groups. Tycoon 2FA, which previously accounted for nearly 90% of phishing-as-a-service activity, saw its output drop significantly from over 9 million attacks per month to just over 2 million. However, its techniques, particularly adversary-in-the-middle phishing, have been adopted by competitors like Mamba 2FA, EvilProxy, and Sneaky 2FA, leading to a rise in their attack volumes. Mamba 2FA alone has increased its monthly attacks from nearly 8 million to over 15 million. The resilience of the phishing ecosystem means that even after major disruptions, the underlying methods persist and evolve, making complete eradication unlikely. Security experts recommend focusing on broader phishing techniques rather than specific brands to effectively combat these threats. Key Points: • Tycoon 2FA's takedown led to a significant drop in its attacks but not in phishing activity overall. • Competitors like Mamba 2FA and EvilProxy have absorbed Tycoon's tactics, increasing their attack volumes. • Phishing techniques are evolving, making it crucial for organizations to focus on broader threat models.

Key Entities

• Phishing (attack_type)
• CWE-287 - Improper Authentication (cwe)
• onmsft.com (domain)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1566.003 - Spearphishing Via Service (mitre_attack)
• T1566 - Phishing (mitre_attack)
• EvilProxy (tool)
• Mamba 2FA (tool)
• Sneaky 2FA (tool)
• Tycoon 2FA (tool)
• Whisper 2FA (tool)