Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

Tycoon2FA emerged as a prominent phishing-as-a-service platform in August 2023, enabling large-scale campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it provided adversary-in-the-middle capabilities to bypass multifactor authentication. The kit allowed impersonation of trusted brands like Microsoft 365 and Gmail, intercepting session cookies and credentials. It employed sophisticated evasion techniques including anti-bot screening, browser fingerprinting, and custom CAPTCHAs. Tycoon2FA's infrastructure evolved to use diverse, short-lived domains and complex redirect chains. Its success stemmed from closely mimicking legitimate authentication processes while covertly intercepting user credentials and session tokens.

Pulse ID: 69a88b33567744351e1bf5d3
Pulse Link: https://otx.alienvault.com/pulse/69a88b33567744351e1bf5d3
Pulse Author: AlienVault
Created: 2026-03-04 19:42:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#2FA #AdversaryInTheMiddle #AitM #Browser #CAPTCHA #Cookies #CyberSecurity #InfoSec #Microsoft #Mimic #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RCE #Rust #bot #AlienVault