Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale
March 5, 2026, 9:48 a.m.
Description
Tycoon2FA emerged as a prominent phishing-as-a-service platform in August 2023, enabling large-scale campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it provided adversary-in-the-middle capabilities to bypass multifactor authentication. The kit allowed impersonation of trusted brands like Microsoft 365 and Gmail, intercepting session cookies and credentials. It employed sophisticated evasion techniques including anti-bot screening, browser fingerprinting, and custom CAPTCHAs. Tycoon2FA's infrastructure evolved to use diverse, short-lived domains and complex redirect chains. Its success stemmed from closely mimicking legitimate authentication processes while covertly intercepting user credentials and session tokens.
Tags
Date
- Created: March 4, 2026, 7:42 p.m.
- Published: March 4, 2026, 7:42 p.m.
- Modified: March 5, 2026, 9:48 a.m.
Indicators
- https://kzagniw.es/LI6vGlx7@1wPztdy
- https://astro.thorousha.ru/vojd4e50fw4o!g/$ENCODED
- https://immutable.nathacha.digital/T@uWhi6jqZQH7/#?EMAIL_ADDRESS
- https://mysql.vecedoo.online/JB5ow79@fKst02/#EMAIL_ADDRESS
- https://backend.vmfuiojitnlb.es/CGyP9!CbhSU22YT2/
- https://piwf.ariitdc.es/kv2gVMHLZ@dNeXt/$EMAIL_ADDRESS
- https://q9y3.efwzxgd.es/MEaap8nZG5A@c8T/*EMAIL_ADDRESS
- https://mock.zuyistoo.today/pry1r75TisN5S@8yDDQI/$EMAIL_ADDRESS
- https://qonnfp.wnrathttb.ru/Fe2yiyoKvg3YTfV!/$EMAIL_ADDRESS
Additional Informations
- Finance
- Education
- Healthcare
- Government
- mock.zuyistoo.today
- qonnfp.wnrathttb.ru
- immutable.nathacha.digital
- q9y3.efwzxgd.es
- mysql.vecedoo.online
- astro.thorousha.ru
- backend.vmfuiojitnlb.es
- piwf.ariitdc.es
- kzagniw.es