Tycoon2FA rebuilds fast after takedown, exposing phishing resilience

At a glance

What this is: This is an analysis of Tycoon2FA’s post-takedown rebuild and the layered anti-analysis chain it used to keep harvesting credentials.

Why it matters: It matters because defenders cannot treat domain seizures as a complete fix when phishing infrastructure is rebuilt quickly and the core abuse pattern remains intact.

By the numbers:

• Tycoon2FA rebuilt within 20 days of a 330-domain seizure, proving takedowns alone cannot stop mature phishing-as-a-service platforms.
• In early 2026, Microsoft blocked an estimated 62% of adversary-in-the-middle phishing attacks from Tycoon2FA.
• 100 milliseconds to detect analysis., milliseconds to detect analysis.

👉 Read Abnormal AI's analysis of the Tycoon2FA rebuild and AiTM tradecraft

Context

Tycoon2FA is a phishing-as-a-service kit that specializes in adversary-in-the-middle credential theft. It matters to identity teams because the target is not just the login page, but the session token and trust chain that follow authentication.

The article shows a campaign that can survive coordinated disruption by rebuilding infrastructure quickly while preserving the same cryptographic and behavioural fingerprints. For IAM and security teams, that means detection and control design must assume that domains, hosting providers, and redirect layers are disposable.

The primary governance problem is not only phishing volume, but the speed and consistency with which mature kits reconstitute their access path. That is a familiar failure mode across identity security, where the control plane sees the lure, but not the reuse pattern behind it.

Key questions

Q: What breaks when phishing-as-a-service platforms are only blocked at the domain level?

A: Domain blocking removes one delivery path, but mature phishing-as-a-service kits rebuild quickly and preserve the same underlying attack logic. Defenders lose visibility if they track only current infrastructure and ignore reusable fingerprints, redirect chains, and payload behaviour. The result is a recurring access problem rather than a one-time incident.

Q: Why do adversary-in-the-middle phishing kits increase identity risk beyond ordinary credential theft?

A: Adversary-in-the-middle kits can capture live session tokens as well as passwords, which lets attackers bypass the sign-in moment and reuse authenticated sessions. That changes the problem from stolen credentials to session replay, making access controls, device checks, and token protections more important than password hygiene alone.

Q: How do security teams know if phishing detections are actually keeping pace with rebuilds?

A: Look for detections that still fire when the infrastructure changes. If your control only catches a known domain, it is fragile. If it also catches the same obfuscation constants, redirect behaviour, and browser anti-analysis signals, it is tracking the campaign rather than the hosting layer.

Q: What should teams do when a phishing kit uses anti-analysis to block inspection?

A: Treat anti-analysis as a normal capability of mature phishing operations and test your stack accordingly. Sandboxes, proxy inspection, endpoint controls, and browser-based verification should be evaluated against debugger traps, fake CAPTCHA gates, and automation checks so response teams see the real payload before users do.

Technical breakdown

S3-hosted lures and redirect layering

Tycoon2FA starts with a cloned Microsoft-style portal hosted on AWS S3, then inserts a commercial link-management hop before the user reaches the phishing endpoint. This layering matters because each step separates the visible URL from the final credential-harvesting page, which weakens reputation-based filtering and makes it harder for gateways to correlate the first click with the real destination. The use of a legitimate cloud domain for the lure and a shortened redirect path for the handoff is a classic adversary-in-the-middle pattern, but here it is implemented as a reusable delivery chain rather than a one-off page.

Practical implication: monitor for cloud-hosted lure pages paired with redirect services and treat multi-hop click paths as a phishing indicator, not just the final domain.

Obfuscation fingerprints survive infrastructure rebuilds

The campaign’s core payload is not defined by the domains it uses, but by the stable cryptographic logic embedded in the JavaScript. A linear congruential generator with fixed constants, combined with Caesar and XOR transforms, creates a fingerprint that remains recognizable even after the infrastructure is replaced. That is the critical point for defenders: takedowns can remove hosting, but they do not automatically remove the code identity of the kit. When the same constants and decoding flow persist, the operator has preserved the same operational asset across rebuilds.

Practical implication: build detections around reusable obfuscation constants and decoding behaviour, not around the current domain list alone.

Anti-analysis gates delay inspection and preserve operator control

Tycoon2FA adds fake CAPTCHA pages, browser-automation checks, keyboard suppression, debugger traps, and Linux blanking before any credential form appears. This is not simply evasion for its own sake. It is an active counter-analysis layer designed to detect scanners, frustrate investigators, and waste response time while still allowing real victims through. The kill switch adds another control point, letting the operator deactivate the campaign remotely if disruption becomes risky. The result is a phishing system that behaves more like a managed service than a static lure.

Practical implication: test phishing detections against automation traps and browser-gated payloads, and use controlled sandboxing that can survive anti-debugger behaviour.

Threat narrative

Attacker objective: The attacker’s objective is to capture credentials and live session tokens while keeping the campaign resilient to takedowns and analysis.

1. Entry begins with a cloned Microsoft Power Pages lure hosted on AWS S3, which gives the campaign the appearance of legitimate cloud infrastructure while hiding the real phishing path behind a trusted-looking domain.
2. Credential access is delayed by a link-management layer, fake CAPTCHA gates, and anti-analysis checks, which funnel only real victims into the encrypted credential harvester while blocking scanners and researchers.
3. Impact occurs when the AiTM relay proxies the Microsoft login flow in real time, capturing credentials and session tokens that can be replayed against legitimate services.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Domain takedowns do not solve identity abuse when the kit identity is stable: Tycoon2FA’s rebuild shows that the meaningful security object is not the domain, but the repeatable delivery and obfuscation pattern behind it. When a platform can recreate itself in under a month, the defensive problem shifts from removal to recognition. Practitioners should treat persistent kit fingerprints as a first-class detection target.

Phishing-as-a-service has become an identity operations problem, not just an email problem: The campaign uses cloud hosting, redirect infrastructure, anti-analysis logic, and session theft as a coordinated access chain. That means email security, IAM, proxy telemetry, and endpoint inspection all see only part of the picture. The field should stop describing these events as isolated lure campaigns and start treating them as distributed identity compromise workflows.

Identity trust debt accumulates when defenders only measure the current hosting layer: Tycoon2FA keeps the same cryptographic constants while replacing the infrastructure around them. That creates a durable trust gap between what blocklists can see and what the operator can preserve. The practical conclusion is that identity programmes need stable behavioural signatures, not just disposable indicators.

Counter-analysis is now part of the attacker control plane: Fake CAPTCHA gates, DevTools suppression, debugger traps, and platform blanking are not peripheral features. They are the mechanism that keeps the phishing service operational under scrutiny and buys time for credential capture. Security teams should treat anti-analysis as an expected feature of mature phishing infrastructure, not as an unusual embellishment.

Cross-domain identity controls matter more than any single control family: The campaign crosses cloud hosting, web delivery, browser behaviour, and authentication replay. No single team owns that end-to-end chain, which is why governance needs shared visibility across email, IAM, proxy, and endpoint layers. The programme implication is simple: fragmented ownership creates blind spots that phishing-as-a-service operators can repeatedly exploit.

From our research:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• A second finding in the same research shows that DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
• For a broader control lens, the NHI Lifecycle Management Guide shows why lifecycle visibility, rotation, and offboarding matter when access paths are rebuilt faster than review cycles can respond.

What this signals

Kit fingerprinting should become part of phishing governance: When a service can rebuild its infrastructure in days but retain the same obfuscation constants and anti-analysis behaviour, the programme needs durable behavioural detection. That is where identity and security teams should focus their telemetry investment, not on chasing every fresh hostname.

With 70% of organisations granting AI systems more access than they would give a human employee performing the same job, according to the 2026 Infrastructure Identity Survey, the broader lesson is that access sprawl is now a governance problem across both human and machine identities.

This is the same reason the NHI Lifecycle Management Guide matters here: if access, hosting, or tooling can be replaced faster than ownership changes, offboarding and rotation lose practical force. Identity programmes need a lifecycle view that survives rapid infrastructure churn.

For practitioners

• Detect the kit, not only the domain. Create detections for stable obfuscation markers such as the LCG constants 9301, 49297, and 233280, plus the bltpg parameter and repeatable decrypt-then-eval behaviour. Use those signals to hunt across new infrastructure rather than waiting for blocklists to catch up.
• Harden against redirect-layer abuse. Inspect cloud-hosted lure pages, link-management services, and multi-hop click paths as a single chain. Correlate AWS S3 hosting with shortened or managed redirects to find the delivery pattern before credentials are exposed.
• Assume anti-analysis is part of the threat model. Test detections against fake CAPTCHA flows, debugger traps, and browser automation checks in controlled sandboxes. If a sandbox breaks on DevTools suppression or Linux blanking, the campaign is already ahead of your validation workflow.
• Tie sign-in controls to replay resistance. Use conditional access and token protection to reduce the value of captured sessions. AiTM kits are designed to turn one successful login into reusable access, so policies must limit where a captured token can be replayed and under what device context.

Key takeaways

• Tycoon2FA shows that takedowns alone do not end a mature phishing service when the operator can rebuild infrastructure quickly and preserve the same attack logic.
• The campaign’s real weakness is its stable fingerprint, which gives defenders a more durable detection target than the current domain set.
• Security teams need controls that survive redirect layering, anti-analysis, and token replay, not just controls that block a known lure site.

Key terms

• Adversary-in-the-middle phishing: A phishing technique where the attacker sits between the user and the legitimate service in real time. The attacker can intercept credentials, session tokens, and authentication flow details, turning a normal login into a reusable access event rather than a one-time credential theft.
• Phishing-as-a-service: A commoditised criminal service that provides lure pages, hosting, relay logic, and operator tooling for credential theft. In practice, it behaves like a maintained platform with reusable tradecraft, rapid rebuilds, and operational support rather than a single static phishing site.
• Anti-analysis: Defensive logic built into malicious code to detect researchers, sandboxes, and automated inspection tools. It includes browser automation checks, debugger traps, keyboard suppression, and environment-based redirects, all designed to hide the payload long enough for the operator to achieve impact.
• Session token replay: The abuse of a captured authentication token to continue or resume a valid session without re-entering credentials. This matters because the attacker no longer needs the password alone. They need only a token that the service still trusts, often bypassing ordinary sign-in friction.

Deepen your knowledge

NHI governance, secrets management, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Abnormal AI: LLMjacking: How Attackers Hijack AI Using Compromised NHIs. Read the original.