Learn how Tycoon 2FA, currently one of the most active and effective phishing toolsets in circulation, evades multi-factor authentication.
PhaaS platforms have made it easier for cybercriminals to engage in the business of phishing and other attacks. These platforms offer sophisticated toolkits and infrastructure on a subscription model. By 2026, these platforms have become more mature and sophisticated and have become significantly more active in large-scale attacks. Among the most dangerous and widely used toolkits is the Tycoon 2FA Phishing Kit.
The Tycoon 2FA Phishing Kit is unlike other phishing toolkits. It represents the emergence of a new era in phishing attacks that have been designed to evade multi-factor authentication. MFA is currently considered the most effective form of account protection. However, the Tycoon 2FA phishing kit’s capability to steal session cookies in real-time makes MFA completely ineffective against it. In this context, understanding the mechanics of the Tycoon 2FA Phishing Kit is crucial for effective cybersecurity defense strategies.
Tycoon 2FA Mechanics
Initial attack vector
Victim clicks a phishing link via email or message.
Dynamic fake login page
Server loads a perfect replica of the target service.
AiTM technique
Tycoon proxies all traffic between victim and real service.
Credential capture
Login data is captured and forwarded in real time.
MFA interception
Real MFA challenges are relayed to the phishing page.
Session cookie theft
Authentication cookies are stolen after MFA success.
Account takeover
Attackers use stolen cookies for full account access.
Understanding the Mechanics of Tycoon 2FA
- Initial attack vector: The sequence of events starts when the victim clicks on the phishing link sent through an email or message.
- Dynamic fake login page: The Tycoon server uses the fake login page technique, which involves the Tycoon server dynamically loading an almost exact replica of the login page of the service that the attacker wants to impersonate.
- Adversary-in-the-Middle (AiTM) technique: Tycoon 2FA uses the Adversary-In-The-Middle technique, which involves the Tycoon server acting as a reverse proxy server, placing itself directly between the victim and the service that the attacker wants to impersonate, which can be Microsoft 365 or Gmail, among others.
- Credential capture and relay: When the victim enters their login credentials on the fake login page, the Tycoon kit immediately captures the credentials and simultaneously relays them to the legitimate service.
- MFA interception: The legitimate service then requests MFA, which involves the attacker sending the one-time code or request to the victim through the phishing page.
- Session cookie theft: Once MFA has been completed, the Tycoon kit captures the session cookie that results from the MFA request-response sequence.
- Account takeover: The attackers can then use the session cookie to bypass authentication checks, even MFA, and gain access to the user’s account.
Technical Evolution from PhaaS Origins
Dadsec OTT Link
Tycoon 2FA is closely linked to the Dadsec OTT phishing kit, with code similarities suggesting it is a direct evolution or fork.
Active Since 2023
First observed around August 2023, the kit has been continuously enhanced to stay effective against modern defenses.
Phishing-as-a-Service
Operates on a subscription basis, typically distributed via private Telegram channels, enabling easy access to infrastructure.
Lower Barrier to Entry
Allows low-skill actors to conduct sophisticated MFA-bypassing attacks with minimal technical effort.
Feature Updates
Continuous improvements focus on phishing page realism and the evasion of security controls and sandboxes.
Expanded Targeting
Initially focused on Microsoft and Google, it now supports multiple cloud and online services across the SaaS landscape.
Established Threat
Rapid iteration and broad targeting have solidified Tycoon 2FA’s position as a leading and persistent threat.
Advanced Evasion Tactics in the Latest Version
The most recent versions of the Tycoon 2FA kit have anti-analysis features. These anti-analysis features are intended to hinder security researchers and automated analysis tools. This has greatly added to the longevity of the phishing campaigns. The kit utilizes an initial CAPTCHA screen. This is the first hurdle that any automated bots must overcome. This hurdle provides a false sense of legitimacy to the victim.
In addition to this, the code is highly obfuscated. The developers utilize dynamic JavaScript and Unicode code hiding. This makes it extremely difficult to reverse engineer and statically analyze the code. The kit also has anti-analysis features that allow it to identify and prevent automated security scripts. These are usually used in penetration testing tools like Burp.
The kit has been set to listen to specific keystrokes and actions. For instance, it disables the right-click context menu. It has also been set to prevent common developer keyboard combinations like F12 and Ctrl+Shift+I. In case it detects any of these anti-analysis techniques, it redirects the user to a harmless website like OneDrive.com or shows a blank page. This has greatly hindered security researchers and analysts from identifying the page’s malicious nature.
Analyzing the Impact: 165,000 Credentials and Counting
Real-world data also helps in understanding the significant impact of the Tycoon 2FA kit. For instance, the tool has been analyzing a set of successfully phished credentials, which were recaptured within a period of six weeks. The data revealed an astonishing 165,000+ phished credentials. This figure, therefore, indicates the success of the tool.
The analysis also helped in understanding the victimology of the attacks. From a geographical point of view, the attacks have shown a strong preference for English-speaking countries. For example, 54% of the victims were located in the United States. The United Kingdom and Canada also ranked second, indicating a strong preference for these countries.
The attacks have also shown a strong preference for major cloud productivity suites. For example, the phished email addresses revealed the following data:
- 48% were associated with Google webmail services.
- 37% were associated with Outlook/Microsoft 365 services.
This figure, therefore, indicates that the Tycoon 2FA kit is a special tool used for attacking enterprise and professional cloud services. Moreover, the analysis revealed a significant trend of user behavior. For example, 41% of the phished users attempted to use more than one unique password during the phishing attempt.
Infrastructure and Domain Rotation Strategies
The operational resilience of Tycoon is based on its infrastructure, which is agile and disposable in nature. The threat actors are using aggressive domain rotation, where thousands of short-lived domain names are used across various TLDs such as .za.com, .it.com, and .es. This greatly reduces the effectiveness of blocklists and takedowns.
The phishing campaigns are often sent through legitimate email accounts that have been compromised, thus avoiding email security controls that are based on sender reputation. Once the victim lands on the phishing page, data exfiltration is done through highly evasive backend mechanisms, including randomized subdomains, long encrypted endpoints, and base64 encoding.
Thus, although the domains are being detected and blocked, the attackers are able to rotate quickly and continue their campaigns with minimal downtime.
Inside Tycoon 2FA: How Modern Phishing Bypasses MFA
This video will explain, at a technical level, what a Tycoon 2FA phishing kit does and why it’s so successful. Rather than simply pretending to be a login page, Tycoon 2FA phishing kits act as a reverse proxy, sitting between the victim and a legitimate service, such as Microsoft or Google.
All authentication traffic is relayed in real time, which means that the phishing infrastructure can intercept legitimate session cookies and authentication tokens after the victim has successfully completed multi-factor authentication. These tokens then allow an attacker to take over an active session, effectively gaining access to the account without re-triggering MFA.
This method represents a significant shift in phishing attacks, moving beyond basic credential phishing to session takeover attacks. It also underscores the limitations of MFA when used in isolation, emphasizing the importance of other security controls, including conditional access, domain validation, phishing-resistant MFA, and session monitoring.
How to Defend Against Sophisticated Phishing Kits
The availability of Tycoon 2FA indicates that traditional security measures are no longer sufficient. Organizations must understand the limitations of traditional MFA solutions, such as SMS or time-based one-time passwords (TOTP). As Tycoon 2FA is intended to steal the session cookie after a successful MFA challenge, a stronger security measure is required.
The best defense mechanism is to use phishing-resistant MFA. The MFA solution is linked to a specific device and domain. The solution prevents the session cookie from being relayed or replayed to an attacker.
The best solution for an organization is to use FIDO2/WebAuthn standards. The security keys offer the highest level of security against AiTM attacks. Another factor to consider in a multilayered defense mechanism is employee training. Employees must be able to identify the signs of a phishing attack, even if it appears to be legitimate.
Training should focus on:
Inspect the URL
A single character difference can be the only sign. Double-check before typing.
Spot the Decoy
Tycoon uses fake “Blocked” messages to stall you while hijacking your session.
Rapid Response
Immediate reporting can prevent a full-scale takeover of your professional accounts.
Conclusion: When MFA Becomes a Speed Bump, Not a Barrier
Tycoon 2FA shows where modern phishing is headed. The attacker does not just steal a password, they steal the live session after MFA succeeds. By proxying the login flow in real time, they capture session cookies and jump straight to account takeover, even when MFA is enabled.
Why This Threat Matters Now
- Adversary in the Middle techniques relay credentials and MFA, then harvest session cookies for instant reuse.
- Rapid infrastructure rotation makes blocklists and takedowns less reliable.
- Tracking in the report cites 165,000+ credentials phished in six weeks, with heavy focus on Google webmail and Microsoft 365.
Why Most Organizations Stay Exposed
- Users complete MFA on convincing, attacker-controlled pages, then the session is stolen and replayed.
- Obfuscation and anti-analysis steps slow investigations and response.
- Session theft bypasses the protection many teams assume MFA guarantees.
Where Xcitium Changes the Outcome
For organizations using Xcitium Cyber Awareness Education and Phishing Simulation, Tycoon 2FA fails at the decision point.
- Training builds URL and brand impersonation recognition before credentials and MFA are entered.
- Simulations create pause and verify habits under realistic pressure.
- Faster reporting shortens the window for session hijacking and follow-on abuse.
With this in place, the attack does not succeed because the user never completes the attacker’s workflow.
Strengthen Security Where Session Takeovers Begin
MFA is necessary, but it is not the finish line. Reduce successful phishing conversions and cut off session theft before it starts.
