Tycoon2FA’s rebuild shows why takedowns alone do not end AiTM

TL;DR: Tycoon2FA was found active again 20 days after a 330-domain takedown, using S3-hosted lure pages, layered redirects, dual fake CAPTCHA gates, and an unchanged cryptographic fingerprint, according to Abnormal AI. The campaign shows that mature phishing-as-a-service platforms survive infrastructure disruption by preserving identity and obfuscation patterns, not just domains.

NHIMG editorial — based on content published by Abnormal AI: LLMjacking: How Attackers Hijack AI Using Compromised NHIs

By the numbers:

• Tycoon2FA rebuilt within 20 days of a 330-domain seizure, proving takedowns alone cannot stop mature phishing-as-a-service platforms.
• The payload traps DevTools every 100 milliseconds to detect analysis.

Questions worth separating out

Q: What breaks when phishing-as-a-service platforms are only blocked at the domain level?

A: Domain blocking removes one delivery path, but mature phishing-as-a-service kits rebuild quickly and preserve the same underlying attack logic.

Q: Why do adversary-in-the-middle phishing kits increase identity risk beyond ordinary credential theft?

A: Adversary-in-the-middle kits can capture live session tokens as well as passwords, which lets attackers bypass the sign-in moment and reuse authenticated sessions.

Q: How do security teams know if phishing detections are actually keeping pace with rebuilds?

A: Look for detections that still fire when the infrastructure changes.

Practitioner guidance

• Detect the kit, not only the domain. Create detections for stable obfuscation markers such as the LCG constants 9301, 49297, and 233280, plus the bltpg parameter and repeatable decrypt-then-eval behaviour.
• Harden against redirect-layer abuse. Inspect cloud-hosted lure pages, link-management services, and multi-hop click paths as a single chain.
• Assume anti-analysis is part of the threat model. Test detections against fake CAPTCHA flows, debugger traps, and browser automation checks in controlled sandboxes.

What's in the full article

Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:

• The full attack-chain breakdown across all seven stages, including the exact lure and redirect sequence.
• The indicator set for hunters, including domain, IP, and parameter-level clues tied to this campaign.
• The anti-analysis behaviour in more depth, including browser checks, debugger timing, and Linux blanking.
• The mitigation guidance that maps the campaign to practical detection and response steps.

👉 Read Abnormal AI's analysis of the Tycoon2FA rebuild and AiTM tradecraft →

Tycoon2FA’s rebuild shows why takedowns alone do not end AiTM?

Explore further

View Full Forum →  |  NHI Foundation Course →