New research shows that disruption of the phishing-as-a-service platform Tycoon 2FA in early March led to rapid shifts in the phishing ecosystem. Other platforms moved quickly to absorb its market share, while parts of Tycoon 2FA’s code, infrastructure and tactics continued to circulate.
Before the disruption, Tycoon 2FA accounted for more than 9 million phishing attacks per month on average. Mamba 2FA followed with around 8 million, EvilProxy with nearly 3 million, and Sneaky 2FA with nearly 700,000. After the takedown, Mamba 2FA rose to 15 million attacks per month, EvilProxy increased to around 4 million, and Sneaky 2FA grew to nearly 2 million. Tycoon 2FA activity fell by 77%, but still accounted for more than 2 million attacks.
The report says Tycoon 2FA continued to persist for several reasons. Not all of its infrastructure was dismantled, and cloned or modified versions of its code remain in use. Attackers continue to reuse and repurpose phishing code, with features moving between kits. Some domains, backup hosting and low-volume campaigns also remain active after takedowns. In addition, modern phishing frameworks often include redundancy features that allow them to recover quickly from disruption.
The report also notes that infrastructure disruption does not necessarily end victim compromise. Stolen session cookies may remain valid, OAuth abuse can preserve cloud access, and affected organizations may stay compromised even after a campaign ends.
Overall, the findings suggest that phishing operations tend to evolve and redistribute rather than disappear entirely after enforcement action.
Click Here For The Original Source.
