Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing

The takedown of Tycoon 2FA marks one of the most significant law‑enforcement strikes against a phishing‑as‑a‑service (PhaaS) operation. Once responsible for roughly 90 % of global PhaaS activity, Tycoon’s monthly attack count plummeted after 330 of its domains were seized. This vacuum did not remain empty; Mamba 2FA, previously the runner‑up, seized the opportunity to more than double its campaign volume, while EvilProxy and Sneaky 2FA also posted noticeable upticks. The rapid redistribution of Tycoon’s codebase and tooling suggests that the underlying infrastructure remains resilient, even when the original brand is crippled.

A parallel trend gaining momentum is device‑code phishing, which exploits the legitimate OAuth device‑authorization flow to capture user credentials. Analysts at Proofpoint and Barracuda have documented a surge in campaigns that embed Tycoon‑style artifacts—such as motivational comments in source code—into new phishing kits. By masquerading as a trusted new‑device login request, attackers can bypass traditional password‑only defenses and even some multi‑factor authentication (MFA) implementations. The technique’s rise coincides almost exactly with Tycoon’s takedown, indicating that displaced actors are repurposing familiar code to target newer authentication vectors.

For security teams, the evolving landscape demands a multi‑layered response. Continuous monitoring of OAuth and device‑code flows, combined with anomaly detection on login patterns, can flag suspicious activity before credentials are compromised. Organizations should also enforce adaptive MFA that incorporates contextual risk signals, rather than relying solely on static token challenges. Finally, threat‑intelligence sharing about emerging phishing kits and their signatures will be critical to staying ahead of actors who rapidly iterate on stolen code to launch more sophisticated attacks.