Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks

Phishing‑as‑a‑service (PhaaS) has become a cornerstone of the cyber‑crime economy, offering ready‑made kits that bypass two‑factor authentication and scale quickly across thousands of victims. Tycoon 2FA emerged in 2023 as the flagship platform, accounting for 62 % of Microsoft‑reported phishing attempts and commanding roughly 89 % of the market. In early March 2026, an international operation seized 330 active Tycoon domains, a move that many analysts expected to cripple the service. While the takedown disrupted the central infrastructure, the underlying code base survived.

Barracuda Networks’ latest telemetry shows that total attacks using the four most prevalent kits—Tycoon, Mamba 2FA, EvilProxy and Sneaky 2FA—jumped from about 20 million to more than 23 million per month after the seizure. Mamba 2FA and EvilProxy have overtaken Tycoon, now holding the majority of detections, while cloned variants of Tycoon’s code continue to run in fragmented, low‑volume campaigns. This rapid migration illustrates how PhaaS operators treat their toolsets as open‑source assets, reusing, modifying, and redeploying code across multiple storefronts to maintain resilience.

The diversification of phishing kits forces defenders to rethink traditional, signature‑centric approaches. Security teams must broaden threat‑intel feeds, adopt behavior‑based analytics, and prioritize the detection of credential‑stealing flows rather than focusing on a single vendor’s kit. Moreover, the persistence of cloned code underscores the need for continuous user education and robust multi‑factor authentication methods that are resistant to man‑in‑the‑middle techniques. As the underground economy adapts, proactive, ecosystem‑wide defenses will be the most effective line of resistance against the evolving PhaaS threat landscape.