Takedown fails to deter Tycoon2FA phishing kit revival

Activity of the Tycoon2FA phishing-as-a-service platform has returned to normal levels weeks after being taken down in a global law enforcement operation led by Microsoft earlier this month, reports BleepingComputer. While Tycoon2FA campaign volume dropped to only a quarter of pre-disruption levels between March 4 and March 5, such volume returned to early 2026 levels in a matter of days, according to CrowdStrike researchers. Tycoon2FA's techniques, tactics, and procedures have remained mostly unaltered from before the disruption, with the PhaaS platform having since tapped in illicit email campaigns involving malicious URLs and shortener services, compromised domains, and presentation tools and other legitimate platforms. Attackers have also continued using Tycoon2FA's old infrastructure alongside newly registered IP addresses and phishing domains, while crafting new inbox rules and concealed fraud email folders, as well as readying business email compromise operations. Effectively dismantling Tycoon2FA requires arrests or physical seizures that would hinder immediate recovery or replacement of affected infrastructure, researchers added.