CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Tycoon 2FA Disruption Drives Surge in Device Code Phishing and Redistribution of PhaaS Tooling

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Following a coordinated law enforcement takedown targeting the Tycoon 2FA phishing-as-a-service (PhaaS) operation, threat actors have rapidly redistributed tools, code, and techniques to competing PhaaS platforms including Mamba 2FA, EvilProxy, and Sneaky 2FA. This shift has coincided with a significant increase in device code phishing campaigns, which bypass traditional MFA by exploiting legitimate OAuth 2.0 and device authorization flows. Attackers are repurposing Tycoon 2FA’s artifacts and code—including unique obfuscation methods such as motivational-style comments in source code—to launch new campaigns that trick users into granting persistent account access via device approval prompts. Tycoon 2FA’s operational capacity dropped from over 9 million attacks per month to approximately 2 million following the takedown, but overall phishing activity has not declined proportionally. Instead, the ecosystem has fragmented, with Mamba 2FA nearly doubling its output to over 15 million attacks per month and EvilProxy rising from ~3 million to ~4 million monthly attacks.

Timeline

  1. 17.04.2026 22:05 1 articles · 3h ago

    Tycoon 2FA Disruption Accelerates Rise of Device Code Phishing and PhaaS Redistribution

    Following a coordinated law enforcement takedown of Tycoon 2FA’s infrastructure in early 2026, threat actors rapidly migrated to alternative PhaaS platforms including Mamba 2FA, EvilProxy, and Sneaky 2FA. This migration coincided with a significant surge in device code phishing campaigns, which leverage legitimate OAuth 2.0 device authorization flows to bypass MFA and achieve persistent account takeover. Attackers are repurposing Tycoon 2FA’s code and artifacts—including motivational-style comments used for obfuscation—to seed new campaigns. As a result, Mamba 2FA’s attack volume nearly doubled to over 15 million per month, while EvilProxy increased from ~3 million to ~4 million monthly attacks. Device code phishing, previously uncommon, has become a dominant technique in the threat landscape over the last 3–4 weeks.

    Show sources
    Open in new tab

Information Snippets

  • Tycoon 2FA, previously responsible for nearly 90% of global PhaaS activity a year ago, saw its market share decline to less than 50% before a coordinated law enforcement takedown disrupted 330 of its active domains in early 2026.

    First reported: 17.04.2026 22:05
    1 source, 1 article
    Show sources

  • Post-takedown, Tycoon 2FA’s attack volume dropped from over 9 million to just over 2 million per month, but overall ecosystem activity remained high due to actor migration to other services.

    First reported: 17.04.2026 22:05
    1 source, 1 article
    Show sources

  • Mamba 2FA, Tycoon 2FA’s largest competitor, increased its attack volume from ~8 million to over 15 million per month following the takedown—a near doubling of output.

    First reported: 17.04.2026 22:05
    1 source, 1 article
    Show sources

  • EvilProxy’s monthly attack volume rose from just under 3 million to over 4 million around the same period, positioning it as a major beneficiary of the disruption.

    First reported: 17.04.2026 22:05
    1 source, 1 article
    Show sources

  • Device code phishing—leveraging legitimate OAuth 2.0 device authorization flows to bypass MFA—has surged since November–December 2025, with a sharp increase observed over the last 3–4 weeks.

    First reported: 17.04.2026 22:05
    1 source, 1 article
    Show sources

  • Threat actors are repurposing Tycoon 2FA’s code and artifacts, including motivational-style comments embedded in source code as obfuscation, to seed new device code phishing campaigns.

    First reported: 17.04.2026 22:05
    1 source, 1 article
    Show sources

  • Attackers are integrating device code phishing kits into broader PhaaS packages, enabling credential theft and persistent account takeover without requiring user interaction beyond approving a device login prompt.

    First reported: 17.04.2026 22:05
    1 source, 1 article
    Show sources