Tycoon 2FA: An Evolving Phishing Kit Powering PhaaS Threats

In a recent spate of phishing campaigns, attackers have been leveraging a tool called Tycoon 2FA to deceive users and bypass security measures. These campaigns frequently employ convincing login pages, closely mimicking the appearance of trusted services like Microsoft 365, to trick users into entering their credentials and authentication codes.

Simply put, Tycoon 2FA is a Phishing-as-a-Service (PhaaS) kit that enables attackers to sidestep Multi-Factor Authentication (MFA) by stealing session cookies. By capturing these digital tokens, attackers can gain unauthorized access to accounts, even if additional security measures are in place.

What’s more important is that Tycoon 2FA is an active danger that is continuously evolving. Since its appearance in 2023, it has undergone regular updates that enhance its stealth and expand its capabilities. From code obfuscation to anti-analysis techniques, this phishing kit exemplifies the sophisticated tactics that threat actors are using today.

In this article, we will break down how Tycoon 2FA works, explore its ongoing evolution, and share critical insights to help your organization identify, defend against, and effectively navigate these phishing threats.

What is Tycoon 2FA

Tycoon 2FA is a modern Phishing-as-a-Service (PhaaS) platform that has become a significant tool for cybercriminals since it emerged in August 2023. Essentially, it offers a complete phishing kit, enabling attackers to easily create and manage phishing campaigns with little technical expertise required.

Notably, researchers suggest that the developer may have repurposed elements of the Dadsec OTT phishing kit, including its admin panel design and phishing tactics, to create Tycoon 2FA.

The kit mainly targets users of Microsoft 365 and Gmail. Its standout feature is its use of an Adversary-in-the-Middle (AitM) technique, relying on a reverse proxy to insert itself between the victim and the legitimate service. This setup lets attackers capture sensitive information during a seemingly normal login process.

Logo of the Tycoon 2FA phishing tool

By mimicking trusted login pages and relaying stolen session cookies back to the attacker, the Tycoon phishing tool allows cybercriminals to bypass Multi-Factor Authentication (MFA). As a result, this kit can enable unauthorized access to company email accounts, file systems, and other cloud services, even if these are normally protected by strong authentication measures.

Why It’s So Dangerous

A key concern with Tycoon 2FA is its ability to bypass MFA by stealing session cookies – small bits of data that keep a user’s session active after login. These cookies give attackers access to a victim’s account without needing to re-enter credentials or authentication codes.

Additionally, attackers frequently leverage legitimate, often compromised, email accounts (such as those using Amazon Simple Email Service or other legitimate SMTP services) to distribute their phishing emails. This tactic helps Tycoon 2FA campaigns appear more authentic and increases the likelihood of victims engaging with malicious links.

Equally alarming is how accessible Tycoon 2FA is. Investigations revealed that over 1,100 domain names were linked to it between late October 2023 and February 2024, expanding to 1,200+ by March 2024. Sold openly through encrypted messaging services like Telegram, the kit’s pre-built phishing pages and user-friendly admin panels lower the barrier for would-be attackers. For as little as $120 (according to reports in 2024), attackers of all skill levels can launch campaigns that exploit even well-protected accounts.

Details of Tycoon 2FA on SOCRadar XTI platform, Threat Actor Intelligence page

Supercharge your defenses with SOCRadar’s Threat Actor & Malware Intelligence, part of our Cyber Threat Intelligence module. Gain critical insights that help you:

• Understand threat actor profiles and their tactics, techniques, and procedures (TTPs),
• Track the latest malware and cyber threats,
• Prioritize vulnerabilities based on real-world risk,
• Proactively strengthen your security posture with tailored, actionable intelligence.

How Tycoon 2FA Works

A typical Tycoon 2FA attack follows a structured process:

1. Phishing Emails – Attackers start by sending emails from legitimate (often compromised) accounts. These messages usually contain links or attachments designed to look like trusted communications.
2. Layered Redirects – Victims who click these links are sent through several intermediate pages. This redirection chain masks the final phishing site and filters out automated security scans.
3. Convincing Phishing Pages – Ultimately, victims arrive at login pages that closely mimic legitimate Microsoft 365 or Gmail portals. These pages are designed to steal both login credentials and 2FA verification codes.
4. Session Cookie Theft – Once a victim logs in, Tycoon 2FA intercepts the session cookie that validates the user’s identity. With this cookie, attackers can bypass MFA and gain access to the victim’s account.

A typical attack’s structure using the phishing kit

Tycoon 2FA’s Defense Evasion Tactics

Tycoon 2FA deploys several sophisticated measures to evade detection:

• Blocking Developer Tools and Right-Click – It disables common developer shortcuts and right-click menus, making it harder to inspect its code.
• Dynamic Code Generation and Obfuscation – By constantly altering its code structure, it avoids detection by signature-based security tools.
• Anti-Sandbox and Fingerprinting – The kit uses browser fingerprinting and environment checks to detect analysis tools or sandbox environments, redirecting to legitimate sites if such activity is detected.
• Clipboard Manipulation – It overwrites clipboard data to prevent researchers from capturing or analyzing page content.

These evasive measures ensure that Tycoon 2FA remains hidden and operational even in environments with advanced security tools.

Real-World Attacks Using Tycoon 2FA

Tycoon 2FA has been observed in multiple real-world campaigns, each using social engineering tactics to target users:

• QR Code and Voicemail Lures – Campaigns often leverage QR codes embedded in emails or PDFs, as well as fake voicemail alerts, to trick users into visiting phishing pages mimicking legitimate login screens (Microsoft 365, Gmail, etc.)

QR-based phishing attempt with Tycoon 2FA (Proofpoint)

• Fake WordPress Updates – Attackers have also posed as updates for widely used platforms like WordPress, exploiting users’ trust in these services.
• Bonus or Payroll-Related Lures – Some attacks have focused on enticing employees with fake company bonus notifications or payroll updates.

These examples highlight how Tycoon 2FA’s adaptability and broad range of tactics make it a persistent threat to many organizations. Researchers at ANY.RUN have detailed the technical aspects of numerous such attacks, highlighting advanced evasion tactics and infrastructure. You can read more in their report here.

The Underground Promotion and Infrastructure of Tycoon 2FA

According to initial reports, the kit’s developer – known by aliases Tycoon Group, SaaadFridi, and Mr_XaaD – actively promoted and sold Tycoon 2FA on Telegram. In the “Saad Tycoon Group” channel, they advertised ready-made phishing kits targeting Microsoft 365 and Gmail, posted updates about new features, and offered customer support. It’s worth noting that Tycoon 2FA is also sold on the Dark Web, expanding its reach and making it even more accessible to cybercriminals.

Financial Transactions and Pricing

A dedicated Bitcoin (BTC) wallet is used to handle payments for Tycoon 2FA, suggesting a well-organized and lucrative operation. Since August 2023, this wallet has recorded hundreds of transactions totaling more than $250,000, according to reports from March 2024.

A 2023 post in the phishing kit’s Telegram channel even references a BTC wallet address (19NReVFKJsYYCCFLq1uNKYrUqQE2bB4Jwx), which researchers have linked directly to the Saad Tycoon Group:

BTC wallet address shared in Saad Tycoon Group (Sekoia)

The kit itself is relatively affordable, with packages starting at just $120 for 10 days of use, making it appealing to cybercriminals of all skill levels. Prices can vary based on the top-level domain (TLD) used.

Management Tools and Website Promotion

Researchers have also documented a dedicated administration panel for Tycoon 2FA campaigns. This panel, similar in layout and features to the Dadsec OTT platform, includes statistics like “Bots Blocked,” “Total Visits,” “Valid Login,” “Invalid Login,” and “SSO Login.” Such tools make it easier for attackers to manage campaigns and track their success.

The admin panel (Sekoia)

In addition to its Telegram presence, Tycoon 2FA was promoted through a website hosted at domains like tycoongroup[.]ws. Their sites described it as the “best 2FA bypass phishing platform,” helping to build Tycoon 2FA’s reputation in the underground market.

The 2023 Tycoon PhaaS platform website at tycoongroup[.]ws

SOCRadar’s Advanced Dark Web Monitoring module actively scans underground forums, marketplaces, and private channels for cybercrime activity related to compromised credentials, leaked data, and more. Additionally, with our Dark Web News feature, you can track hacker posts about emerging threats that may target your organization, such as phishing kit sales similar to Tycoon 2FA, keeping you ahead of these evolving threats.

Recent Evolutions of Tycoon 2FA

Since its emergence, Tycoon 2FA has undergone significant updates, introducing a series of sophisticated features that make it harder to detect and more convincing to victims. Key updates in 2024 and 2025 have focused on three main areas: enhancing evasion techniques, strengthening social engineering, and improving adaptability.

For instance, Tycoon 2FA now integrates dynamic browser fingerprinting to bypass sandbox environments, custom and rotating CAPTCHA methods to avoid automated detection, and advanced obfuscation techniques that make its code increasingly difficult to analyze.

Phishing pages have also become more personalized and realistic, incorporating custom logos and backgrounds that match the victim’s domain, further tricking users into thinking they’re on a legitimate site.

Timeline of Key Upgrades in 2024 and 2025

Tycoon 2FA is a constantly shifting threat, with each iteration introducing new tactics to outpace detection and boost its effectiveness. Here’s a closer look at how this phishing kit has advanced in the last two years:

• March 2024: Tycoon 2FA received an update that heavily obfuscated its JavaScript and HTML code, and introduced dynamic code generation that changes with each execution, actively thwarting signature-based defenses.

• November 2024: New version emerged with advanced evasion features including blocking developer tools and overwriting clipboard data. It enabled Tycoon 2FA to block automated security scripts, penetration testing tools, and detect keystrokes commonly used for web inspection, making it significantly harder for security researchers and automated systems to analyze and identify the phishing pages.
• December 2024: Added dynamic multimedia elements, loading logos and backgrounds that match the victim’s domain to enhance believability.
• April 2025: Rotating CAPTCHA techniques were introduced, switching between Google reCAPTCHA, IconCaptcha, and custom CAPTCHAs to avoid detection by automated tools. In addition, Tycoon 2FA incorporated invisible obfuscation using whitespace-based encoding, making phishing pages harder to analyze, and extended redirect chains to better hide the phishing sites.
• May 2025: AES encryption added to obfuscate final payloads. Browser fingerprinting fully implemented, capturing details like timezone, browser properties, and device features to tailor attacks and bypass sandboxes.

Key updates of the phishing kit through 2024 – 2025

These continual updates show that Tycoon 2FA is not a static threat, but an active, evolving danger that adapts to security measures and remains a formidable tool for cybercriminals.

How Can You Protect Against Tycoon 2FA?

Phishing has evolved from individual attacks to large-scale campaigns powered by Phishing-as-a-Service (PhaaS) platforms, with Tycoon 2FA standing out as a key player in recent times. Its effectiveness in bypassing 2FA by stealing session cookies makes it a popular choice for cybercriminals.

Researchers estimate that in 2024, 30% of all credential attacks involved PhaaS. This number is expected to reach 50% in 2025, showing the growing adoption of platforms like Tycoon 2FA. Its ease of use and ability to evade security tools further contribute to its appeal among cybercriminals.

Traditional signature-based defenses often struggle to keep up with Tycoon 2FA’s evolving tactics. From dynamic code obfuscation to rotating CAPTCHA types and browser fingerprinting, the toolkit constantly adapts, slipping past static detection rules and evading automated analysis.

As this threat grows, the pressing question becomes: how can organizations strengthen their defenses against advanced phishing threats like Tycoon 2FA? Here are some actionable steps:

• Spot Tycoon 2FA activity by looking for sessions that connect to C2 domains using certain TLDs, load known kit resources, and end by redirecting to the real Microsoft login page – these together strongly indicate Tycoon 2FA activity.
• Implement behavioral-based detection systems (e.g., EDR/XDR platforms) to spot session cookie theft, suspicious login flows, and automated script-based attacks that static signatures might miss.
• Deploy advanced security solutions like AI-driven email filters, URL scanning tools, and web traffic anomaly detection to catch dynamic phishing kit tactics.
• Provide targeted security awareness training that focuses on identifying phishing lures like QR codes, fake logins, and suspicious redirects, tailored to Tycoon 2FA’s known tactics.
• Continuously monitor authentication logs and web session behavior for suspicious activity, such as unusual MFA prompt usage or repeated logins from unfamiliar IP addresses.
• Leverage threat intelligence feeds that track evolving PhaaS toolkits like Tycoon 2FA, including known C2 infrastructure and new payload encryption techniques.
• Use SOCRadar’s Extended Threat Intelligence platform to stay ahead of phishing campaigns like Tycoon 2FA in their early stages. With actionable insights and targeted alerts, you can proactively disrupt these threats before they escalate.

SOCRadar’s Alarm Management

Conclusion

Tycoon 2FA exemplifies the rapid evolution of phishing-as-a-service (PhaaS) threats, bypassing multifactor authentication (MFA) and evading even advanced detection measures. From dynamic obfuscation and custom CAPTCHAs to browser fingerprinting and sandbox detection, Tycoon 2FA continues to push the limits of what phishing kits can achieve.

The widespread adoption of Tycoon 2FA underscores the growing challenges for defenders, especially as cybercriminals increasingly leverage PhaaS to launch campaigns at scale. Traditional security tools alone are no longer enough.

Looking forward, the phishing landscape will only grow more sophisticated. Organizations must adapt by investing in behavioral-based detection, real-time monitoring, and a proactive security culture. Staying ahead of these evolving threats requires continuous improvement and collaboration across teams. By doing so, companies can protect themselves against Tycoon 2FA and future generations of phishing attacks.

MITRE ATT&CK TTPs

The TTPs of the Tycoon 2FA phishing kit are as follows. Additionally, many IOCs associated with its campaigns are available through the SOCRadar XTI platform’s Threat Actor Intelligence page.