Barracuda analysis shows that Tycoon 2FA lives on through distributed tools, code mutation and victim access
Thursday, 17th April, 2026: New research from Barracuda shows how disruption of the dominant phishing-as-a-service (PhaaS) platform Tycoon 2FA accelerated change in the phishing ecosystem. The findings are detailed in a new research article, which shows how other players quickly moved in to seize Tycoon’s market share, redistributed and revised its tools, techniques and capabilities — and how some things, including smaller campaigns, didn’t change at all.
Tycoon 2FA was severely disrupted in early March by an international law enforcement operation. Before the takedown, Tycoon 2FA accounted for over 9 million phishing attacks per month on average, with Mamba 2FA in second place with around 8 million and EvilProxy in third with almost 3 million. Sneaky 2FA accounted for nearly 700 thousand attacks.
Following the takedown, Mamba 2FA became the dominant phishing platform, doubling to 15 million attacks per month. EvilProxy increased to around 4 million attacks, while Sneaky 2FA tripled to nearly 2 million. Tycoon 2FA activity fell by 77%, but still accounted for more than 2 million attacks.
How Tycoon 2FA lives on
According to Barracuda threat analysts, the continued existence of Tycoon 2FA is due to several factors.
- Not everything was dismantled in the takedown
For example, variants of Tycoon 2FA’s attack code that have been cloned or modified by individual adversaries continue to circulate. Independently hosted deployments remain active, and fragmented, low-volume campaigns persist.
- Attackers reuse and repurpose phishing code
PhaaS toolsets increasingly resemble open-source development environments. Code is reused, modified and redeployed, and features migrate from one phishing kit to another.
- Residual infrastructure
Elements of the attack infrastructure can persist. For example, attack domains remain active until expiry; backup hosting often evades immediate seizure; and low-visibility phishing campaigns keep going if they fall beneath alert thresholds. These residual campaigns can quietly outlive initial response efforts.
- Phishing frameworks have built-in redundancy
Modern phishing frameworks often include measures to help them recover from disruption. Examples of this include failover infrastructure to ensure operational continuity for in-flight campaigns, workflows for rapid redeployment following disruption, and compatibility with other phishing kits.
- Persistent access
The disruption of infrastructure does not automatically revoke victim access. Stolen session cookies may remain valid, OAuth abuse can enable extended cloud access, and organizations may remain compromised after the end of the phishing campaign.
“Phishing threats don’t end cleanly,” said Saravanan Mohankumar, Manager, Threat Analysis Team at Barracuda. “Attack patterns migrate rather than disappear, and tools inherit and refine proven techniques. The capabilities popularised by Tycoon 2FA are now embedded across a wider set of platforms, and we’ve already seen them deployed successfully in device code attacks. Detections tied to individual kits become obsolete quickly. For true resilience, defensive strategies need to focus on broad models of identity-based attacks and session abuse.”
For more information, read the blog post: https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere
About Barracuda
Barracuda is a leading global cybersecurity company providing complete protection against complex threats for all size business. Our AI-powered BarracudaONE platform secures email, data, applications, and networks with innovative solutions, managed XDR and a centralized dashboard to maximize protection and strengthen cyber resilience. Trusted by hundreds of thousands of IT professionals and managed service providers worldwide, Barracuda delivers powerful defenses that are easy to buy, deploy and use.
