Penka Hristovska
Published on: April 15, 2025
Tycoon2FA, a phishing-as-a-service (PhaaS) platform known for bypassing 2-factor authentication, has received major upgrades — making it even harder to detect and get rid of.
Tycoon2FA works by inserting itself between the victim and the legitimate login page, a tactic known as adversary-in-the-middle (AiTM). When a user enters their credentials on what appears to be a real login page, the platform captures that information in real time and forwards it to the actual service provider, like Microsoft or Google.
This allows the attacker to receive the session cookie generated after successful login, effectively granting them access to the account without needing to bypass the MFA step directly. Since the session is already authenticated, the attacker can hijack the session and act as the user without triggering any additional verification.
Tycoon2FA has seen frequent updates over time, with its operators consistently prioritizing obfuscation and evasion techniques to keep the platform under the radar and resistant to analysis.
The most recent were discovered by Cybersecurity researchers at Trustwave who highlighted three significant improvements to the malicious service.
The most impactful update to Tycoon2FA is its use of invisible Unicode characters to hide binary data within JavaScript — a stealth technique first highlighted by Juniper Threat Labs in February. This allows the malicious code to remain hidden during static analysis and manual review, yet still function normally when executed by the browser.
Another key change is the platform’s move away from using Cloudflare Turnstile as its CAPTCHA system. Instead, it now employs a self-hosted CAPTCHA built with HTML5 canvas, featuring randomized elements. This makes it more difficult for automated tools or researchers to interact with or reverse-engineer the phishing pages.
The third upgrade introduces anti-debugging JavaScript that actively scans for browser automation tools like PhantomJS and Burp Suite. If these tools are detected, the script blocks certain functions tied to security testing, further complicating efforts to analyze the platform’s behavior.
Trustwave points out that these techniques, on their own, aren’t particularly novel within the phishing-as-a-service world. However, when combined, they make Tycoon2FA far more difficult to detect, analyze, and disrupt. The result is a more sophisticated and elusive platform that presents an increasing challenge for security teams.
