Tycoon 2FA (also known simply as Tycoon) is a highly sophisticated Phishing-as-a-Service (PhaaS) platform and one of the most widely used Adversary-in-the-Middle (AiTM) phishing kits in 2025. First observed in August 2023 by researchers at Sekoia and Deep Instinct, it rapidly evolved into a dominant tool for bypassing multi-factor authentication (MFA/2FA) on high-value targets, particularly Microsoft 365, Office 365, Gmail, and other cloud services.
Tycoon 2FA is sold and supported primarily through Telegram channels operated by its developers (often under handles associated with the "Saad Tycoon Group" or "Mr_XaaD"). Pricing follows a subscription model: short-term access (1–3 months) starts around $120–$200 in Bitcoin, with longer licenses or premium support costing more. The kit's affordability, ease of use, and continuous updates have made it accessible to a broad range of attackers — from script kiddies to organized cybercrime groups and even some state-aligned actors.
As of late 2025, Tycoon 2FA has been linked to over 64,000 documented phishing incidents (ANY.RUN data) and more than 1,200 malicious domains historically (Sekoia IOC repository). It consistently ranks among the top three most active PhaaS platforms alongside EvilProxy and NakedPages.
Key Components:
Notable Features Added/Enhanced in 2024–2025:
Tycoon 2FA remains a flagship example of how PhaaS platforms have commoditized advanced MFA bypass techniques. Its ongoing evolution — driven by active development and community feedback — ensures it will stay relevant into 2026 and beyond. The most effective long-term defense is migrating to authentication methods that are inherently resistant to real-time relaying and session theft. Organizations should prioritize phishing-resistant MFA deployment and maintain vigilance against evolving AiTM threats.
Tycoon 2FA is sold and supported primarily through Telegram channels operated by its developers (often under handles associated with the "Saad Tycoon Group" or "Mr_XaaD"). Pricing follows a subscription model: short-term access (1–3 months) starts around $120–$200 in Bitcoin, with longer licenses or premium support costing more. The kit's affordability, ease of use, and continuous updates have made it accessible to a broad range of attackers — from script kiddies to organized cybercrime groups and even some state-aligned actors.
As of late 2025, Tycoon 2FA has been linked to over 64,000 documented phishing incidents (ANY.RUN data) and more than 1,200 malicious domains historically (Sekoia IOC repository). It consistently ranks among the top three most active PhaaS platforms alongside EvilProxy and NakedPages.
Core Technical Architecture
Tycoon 2FA operates as a reverse proxy-based AiTM framework, sitting between the victim and the legitimate service to relay traffic in real time while capturing sensitive data.Key Components:
- Reverse Proxy Engine:
- Built on Node.js/PHP with Nginx or custom proxies.
- Intercepts all HTTP/S traffic, including POST requests containing credentials and MFA responses.
- Session Cookie Theft Module:
- Primary MFA bypass mechanism: Captures authenticated session cookies (e.g., .AspNetCore.Session, FedAuth) immediately after successful login.
- Allows attackers to replay sessions without re-entering credentials or completing MFA.
- Real-Time MFA Relaying:
- Forwards push notifications, TOTP codes, SMS, or authenticator app challenges to the real service.
- Victim enters 2FA response on the phishing page → relayed live → attacker receives valid session.
- Dynamic Phishing Page Generator:
- Pulls live assets (CSS, JS, images, fonts) from the legitimate target domain to create pixel-perfect clones.
- Adapts to conditional access policies by parsing error messages and adjusting prompts accordingly.
- Victim Dashboard:
- Real-time monitoring of active sessions, captured credentials, cookies, and MFA tokens.
- Export functions and campaign statistics.
Advanced Features and 2025 Evolutions
Tycoon 2FA receives frequent updates via Telegram announcements, with developers sharing changelogs and new evasion modules.Notable Features Added/Enhanced in 2024–2025:
- Multi-Layered Obfuscation:
- JavaScript/HTML scrambling, whitespace encoding, AES-encrypted payloads.
- Dynamic code generation (page source changes on each load).
- Anti-Analysis and Anti-Bot Protections:
- Browser fingerprinting (checks timezone, WebGL, canvas, fonts, plugins).
- Debugger detection: Disables right-click, dev tools, clipboard access.
- Rotating CAPTCHA implementations (Google reCAPTCHA, hCaptcha, custom image-based).
- Redirects or blank pages if sandbox/environment detected.
- Link and URL Obfuscation:
- Split URL techniques (benign + malicious segments).
- Multi-stage redirect chains via legitimate services.
- QR Code (Quishing) Integration:
- Generates mobile-friendly QR codes leading directly to phishing pages.
- Clipboard Hijacking:
- Overwrites copied text with attacker-controlled wallet addresses (common in crypto-themed lures).
- Multimedia and Template Customization:
- Supports audio/video lures (e.g., fake voicemail prompts).
- Extensive template library for dozens of services beyond Microsoft/Gmail (Azure, AWS, VPNs, banking).
Typical Attack Lifecycle
- Infrastructure Setup: Attacker purchases access, deploys kit on VPS with valid SSL (often Let’s Encrypt).
- Campaign Preparation: Configures templates and lures (e.g., “New Voicemail”, “Shared Document”, “Password Expiration”).
- Distribution: Emails sent via compromised accounts, bulk spam, or services like Amazon SES.
- Victim Interaction:
- Click → Anti-bot checks → Phishing page.
- Credentials entered → MFA prompted and relayed.
- Successful auth → Session cookie stolen.
- Post-Compromise:
- Immediate access to inbox, OneDrive, Teams.
- Common follow-ons: inbox rule creation, data exfiltration, BEC fraud, internal phishing.
Threat Actor Usage and Scale
- Primarily financially motivated groups (Nigerian BEC actors, Scattered Spider affiliates).
- Increasing adoption by initial access brokers selling M365 compromises on dark markets.
- Occasional use in targeted operations (e.g., corporate espionage).
Detection Indicators
- Domains with random subdomains or patterns listed in public IOC feeds (Sekoia, urlhaus).
- Traffic anomalies: High POST requests to proxy IPs with unusual User-Agents.
- Sudden session cookie usage from unexpected locations.
- Emails containing obfuscated links or unexpected CAPTCHA prompts.
Comprehensive Mitigation Strategies
- Implement Phishing-Resistant MFA:
- FIDO2 hardware security keys (YubiKey, etc.).
- Certificate-based authentication.
- Passkeys — these cannot be relayed by AiTM kits.
- Session and Device Controls:
- Microsoft Entra Conditional Access: Require compliant/managed devices, block legacy authentication.
- Monitor for impossible travel or anomalous session replay.
- Advanced Email and Web Security:
- Deploy gateways capable of detecting AiTM patterns (e.g., Proofpoint Targeted Attack Protection, Microsoft Defender).
- Block known PhaaS infrastructure via URL/DNS filtering.
- User Education:
- Train on recognizing unsolicited login prompts.
- Encourage use of official apps/bookmarks rather than email links.
- Monitoring and Response:
- Alert on new inbox rules or unusual OAuth consents.
- Use tools like Microsoft Defender for Cloud Apps to detect cookie replay.
Tycoon 2FA remains a flagship example of how PhaaS platforms have commoditized advanced MFA bypass techniques. Its ongoing evolution — driven by active development and community feedback — ensures it will stay relevant into 2026 and beyond. The most effective long-term defense is migrating to authentication methods that are inherently resistant to real-time relaying and session theft. Organizations should prioritize phishing-resistant MFA deployment and maintain vigilance against evolving AiTM threats.
