# Tycoon2FA: Why Takedowns Aren't Kill Shots — Analyzing a PhaaS Platform's Post-Disruption Evolution

## Executive Summary
 
On March 4, 2026, a coalition led by Europol and Microsoft — with support from Trend Micro, Cloudflare, eSentire, and law enforcement across six countries — seized 330 domains and dismantled the core infrastructure of **Tycoon2FA**, the Phishing-as-a-Service (PhaaS) platform responsible for an estimated **62% of all adversary-in-the-middle (AiTM) phishing attacks blocked by Microsoft** in early 2026 — over 30 million malicious emails per month.
 
Campaign volume dropped to 25% of normal levels on March 4 and 5. Within days, it returned to baseline.
 
This report analyzes what happened between takedown day and today, why it happened, and what it means for defenders. The short answer: **seizing infrastructure disrupts operations; it does not destroy platforms**. Tycoon2FA's cryptographic fingerprint, codebase, and subscriber network survived intact. The 330 domains were disposable.
 
**Latest development (May 2026):** Tycoon2FA has integrated **OAuth 2.0 Device Code phishing** — abusing Microsoft's legitimate Device Authorization Grant flow to compromise Microsoft 365 accounts without stealing passwords or bypassing MFA in the traditional sense. Victims authenticate on genuine Microsoft infrastructure, unknowingly granting OAuth tokens to attacker-controlled devices.
 
---
 
## Background: What Tycoon2FA Is and Why It Mattered
 
### Platform Overview
 
Tycoon2FA emerged around August 2023 as a full-service PhaaS platform — not a kit that attackers deploy themselves, but a **subscription service** offering infrastructure, campaign management panels, and real-time MFA interception as a service to approximately 2,000 subscribers and thousands of downstream criminals.
 
Microsoft tracks the primary operator as **Storm-1747**. Civil proceedings filed by Microsoft and Health-ISAC name an individual suspect as **Saad Fridi**.
 
**Platform timeline:**
- **2023:** Initial emergence; focus on Microsoft 365 AiTM phishing
- **Mid-2025:** Accounts for 62% of AiTM phishing blocked by Microsoft; exceeds 30M emails/month
- **Late 2025:** Hybridization with Salty 2FA observed
- **Jan–Feb 2026:** Campaign surge with new TLDs and hybrid kits
- **March 4, 2026:** Europol/Microsoft takedown; 330 domains seized across Latvia, Lithuania, Portugal, Poland, Spain, UK
- **Same day:** Operators begin rebuilding (per CrowdStrike)
- **March 24, 2026:** New campaign confirmed active from fresh Russian infrastructure
- **April 2026:** Returns to pre-disruption activity levels
- **May 2026:** Device code phishing capability integrated
Targeted sectors across the platform's operational history: education, healthcare, finance, government, non-profit. The platform's AiTM capability allowed operators and subscribers alike to bypass traditional MFA — not by breaking cryptography, but by sitting in the middle of a legitimate authentication session and stealing session cookies in real time.
 
---
 
## Technical Analysis: The Seven-Stage Post-Takedown Attack Chain
 
Abnormal AI confirmed a new Tycoon2FA campaign active on **April 2, 2026** — 20 days after the takedown — operating from freshly registered Russian infrastructure. The following is a complete technical breakdown of the rebuilt chain.
 
### Stage 1: AWS S3-Hosted Lure Page
 
The attack opens with a cloned Microsoft Power Pages portal hosted on an **AWS S3 bucket**, impersonating a OneDrive file-sharing notification: a procurement lure framed as "RFQ/#PO Enquiry - Microsoft Spreadsheet."
 
The template (`Power Pages v9.7.3.10`) was cloned from a legitimate Azure tenant provisioned in the Saudi Arabia region, carrying authentic Microsoft framework code, telemetry scripts, and styling. A `setTimeout` fires after 3 seconds, redirecting to Stage 2.
 
**Why S3:** S3 bucket URLs carry AWS's domain reputation, bypassing URL reputation checks that would flag a freshly registered domain.
 
### Stage 2: Nulled Link Management Platform
 
The redirect lands on a **66biolinks** instance — a commercial link management platform (AltumCode product) running as a pirated copy on attacker-controlled infrastructure. This layer serves dual purpose: an additional redirect hop that obscures the final destination from email gateway URL scanners, and campaign tracking/analytics for the operator.
 
Infrastructure: LiteSpeed + CyberPanel on IPXO-leased IP (`212.81.47.99`), fronted by Cloudflare.
 
### Stage 3: IP Blocklist Gate
 
Before any phishing content is displayed, JavaScript queries `ipinfo[.]io` to check the visitor's IP organization. Matches against a hardcoded list of **16 cloud and hosting providers** result in redirect to rotating legitimate ecommerce platforms (Volusion, PrestaShop, Ecwid, Square).
 
Evasion technique: provider names are stored **reversed** (e.g., "etatssewa" instead of "awsstate") to defeat static string scanning.
 
### Stage 4: Dual Fake CAPTCHA Gates
 
Visitors that pass the IP filter encounter a "Human Check" gate — two sequential fake CAPTCHAs, one on the link management platform and one on the credential harvesting domain (`criopiochio[.]ru`).
 
Both gates share identical UX but use **polymorphic CSS class names** (Gate 1: `.r0`, `.w2`, `.of4`; Gate 2: `.o0`, `.f7`, `.ru2`). Form IDs, checkbox IDs, and variable names differ between renders — visually identical to a human visitor, entirely distinct to signature-based detection tools.
 
The hidden form uses HTML entity obfuscation: `method="P&#79;S&#84;"` decodes to `POST`. On submission, Gate 1 sends a 301 redirect to `criopiochio[.]ru`; Gate 2 triggers the encrypted payload.
 
### Stage 5: Encrypted Payload — The Stable Cryptographic Fingerprint
 
After the second CAPTCHA, the server returns an obfuscated JavaScript payload encrypted with a **Caesar+XOR cipher seeded by a Linear Congruential Generator (LCG)**. This is Tycoon2FA's most reliable detection signature:
 
```
LCG constants: multiplier=9301, increment=49297, modulus=233280
Payload format: base64_payload : seed_integer : base64_key
```
 
Decryption chain:
1. Generate XOR keystream via PRNG seeded with `seed + decoded_key[0]`
2. Generate Caesar shift values via PRNG seeded with `seed + 99`
3. Reverse Caesar cipher on alphabetic characters using per-position shift values
4. XOR each byte against the corresponding keystream byte
5. Execute via `eval`
**Critical finding:** These LCG constants are **identical across every observed Tycoon2FA deployment** — including confirmed pre-takedown domains (`freasiju[.]ru`, `edistolygrag[.]ru`) and this post-takedown campaign. Infrastructure changes. The cryptographic fingerprint does not. This is the platform's exploitable weakness: a stable detection signal that persists regardless of how many times operators rebuild.
 
**New in post-takedown variants:** `eval` is invoked indirectly via `frames["eval"]` through a `Symbol.toPrimitive` trick. The string `"eval"` is extracted from invalid CSS color-like values (`#e64D00` → 'e', `#v05235` → 'v', `#a0B100` → 'a', `#l2C3D4` → 'l'). The string `atob` is constructed via XOR: `[0x63, 0x66, 0x61, 0x66]` XOR `[0x02, 0x12, 0x0e, 0x04]`.
 
### Stage 6: Active Counter-Analysis Suite
 
The decrypted payload runs an extensive anti-analysis suite before any credential harvesting:
 
| Technique | Mechanism |
|-----------|-----------|
| **Automation detection** | Checks `navigator.webdriver`, `window.callPhantom`, `window._phantom`, `"Burp"` in user agent → redirects to `about:blank` |
| **DevTools blocking** | Suppresses all developer tool keyboard shortcuts (F12, Ctrl+U, Ctrl+Shift+I/C/J/K, Cmd+Alt+I/C); disables right-click |
| **Debugger trap** | `setInterval` fires `debugger` every 100ms; if DevTools is open, the pause is detected via `performance.now()` timing → redirect to ecommerce decoy |
| **Platform blocking** | Blanks the page entirely with `document.write("")` on Linux desktops (excluding Android), specifically targeting analyst workstations |
 
**Domain-level deception:** Every route on the phishing domain returns a **different AI-generated fake website** depending on how it is accessed. URL scanners and reputation services probing the domain see entirely benign content.
 
The shift from 1000ms to **100ms debugger interval** (compared to pre-takedown samples) signals an intentional hardening of the anti-analysis capability in response to the disruption.
 
### Stage 7: Kill Switch and Credential Harvesting
 
Before rendering the credential harvester, the payload sends a `GET` request to a C2 kill switch. Response `"0"` → campaign active; any other response → redirect to a benign site.
 
Kill switch domains: `founiodrai[.]digital` and `ziostohou[.]digital`, hosted on **BunnyCDN** (`84.17.63.178`). This is a direct response to the March 4 takedown which targeted Cloudflare-hosted infrastructure — operators migrated their CDN provider to reduce single-point-of-failure risk for future disruption attempts.
 
When the kill switch confirms active status, JavaScript POSTs to a randomized endpoint with parameters `bltpg` (campaign/page identifier) and `sid` (per-session token). The server responds with `{"status":"success"}` and the page delivers the AiTM credential harvesting relay — a real-time proxy to the legitimate Microsoft login flow, capturing credentials and session tokens as the victim authenticates.
 
---
 
## May 2026 Update: Device Code Phishing — Compromising Accounts Without Stealing Passwords
 
eSentire's Threat Response Unit (TRU) analyzed a late April 2026 Tycoon2FA campaign integrating **OAuth 2.0 Device Authorization Grant flow abuse** — commonly called device code phishing.
 
### How OAuth Device Code Flow Works (and How It's Being Abused)
 
Microsoft's Device Authorization Grant was designed for devices with limited input capability — smart TVs, IoT devices, conference room systems, printers. The flow works by having the device display a user code and directing the user to authenticate at `microsoft.com/devicelogin` from a separate device.
 
Tycoon2FA's abuse of this flow:
 
```
1. Attacker initiates Device Authorization Request to Microsoft
   → Microsoft returns: device_code + user_code + verification_uri
   
2. Lure email sent to victim (Microsoft 365 voicemail notification)
   → Contains user_code + link to microsoft.com/devicelogin
   
3. Victim visits microsoft.com/devicelogin (LEGITIMATE Microsoft domain)
   → Enters user_code; MFA is triggered and completed normally
   
4. Microsoft issues OAuth access token + refresh token
   → Token granted to device_code CONTROLLED BY THE ATTACKER
   
5. Attacker has full Microsoft 365 access for the victim's account
   → No password stolen; MFA completed legitimately
```
 
**Why this is particularly dangerous:** The victim interacts with the real `microsoft.com`. MFA is completed correctly. Nothing in the user's experience indicates compromise. The phish doesn't bypass MFA — it changes what MFA is authorizing.
 
**Delivery mechanism:** Lure emails use **Trustifi click-tracking URLs** — Trustifi is a legitimate email security platform, and its domains carry good sender reputation with most email gateways. From that initial click, victims pass through a four-layer delivery chain carrying the full Tycoon2FA tradecraft before reaching the device code entry page.
 
This technique is not unique to Tycoon2FA in May 2026. **Kali365** (a new PhaaS platform that emerged on Telegram in April 2026) and **EvilTokens** are also adopting device code phishing. This is becoming a standard PhaaS capability, not a single-actor innovation.
 
---
 
## IOC & Infrastructure
 
```
# Kill Switch Domains (post-takedown)
founiodrai[.]digital      → BunnyCDN (84.17.63.178)
ziostohou[.]digital       → BunnyCDN (84.17.63.178)
 
# Credential Harvesting Domain
criopiochio[.]ru
 
# Pre-takedown domains (cryptographic fingerprint reference)
freasiju[.]ru
edistolygrag[.]ru
 
# Link Management Layer
212.81.47.99              → IPXO-leased, LiteSpeed/CyberPanel, Cloudflare-fronted
 
# Tycoon2FA Kit Parameters (stable across all campaigns)
bltpg                     → Campaign/page identifier (POST parameter)
sid                       → Per-session token
 
# LCG Cryptographic Fingerprint (unchanged across all deployments)
multiplier: 9301
increment: 49297
modulus: 233280
 
# Trustifi click-tracking (legitimate platform abused for delivery)
Prefix: track.trustifi.com (legitimate domain; flag when redirecting to phishing chain)
```
 
---
 
## MITRE ATT&CK Mapping
 
| Phase | Technique ID | Technique Name | Details |
|-------|-------------|----------------|---------|
| Initial Access | T1566.002 | Phishing: Spearphishing Link | Lure email with Trustifi tracking URL |
| Credential Access | T1557 | Adversary-in-the-Middle | AiTM relay — capture credentials + session cookies in real time |
| Credential Access | T1528 | Steal Application Access Token | OAuth device code flow abuse — steal access + refresh tokens |
| Defense Evasion | T1027 | Obfuscated Files or Information | Caesar+XOR+LCG encryption, polymorphic CSS, reversed strings |
| Defense Evasion | T1036 | Masquerading | Clone Microsoft Power Pages, OneDrive notification impersonation |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion | navigator.webdriver check, 100ms debugger trap, Linux platform block |
| Defense Evasion | T1583.008 | Acquire Infrastructure | AWS S3 lure page, BunnyCDN kill switch to avoid single-provider takedown risk |
| Collection | T1539 | Steal Web Session Cookie | Session cookie capture via AiTM relay |
| Persistence | T1078 | Valid Accounts | Stolen credentials/tokens for persistent access |
 
---
 
## Detection Rules
 
### KQL (Microsoft Sentinel) — Device Code Phishing
 
```kql
// Detect OAuth Device Code sign-ins from unusual context
SigninLogs
| where AuthenticationProtocol == "deviceCode"
| where ResultType == 0  // Successful sign-in
| where NetworkLocationDetails == "[]"  // No trusted network location
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
    AppDisplayName, AuthenticationProtocol, DeviceDetail, UserAgent
 
// Hunt Tycoon2FA kill switch domain lookups
DnsEvents
| where Name in ("founiodrai.digital", "ziostohou.digital", "criopiochio.ru")
| project TimeGenerated, Computer, ClientIP, Name, IPAddresses
 
// Detect POST with Tycoon2FA bltpg kit parameter
CommonSecurityLog
| where RequestURL contains "bltpg="
| where RequestMethod == "POST"
| project TimeGenerated, SourceIP, DestinationHostname, RequestURL
 
// Correlate Device Code sign-in with prior inbound email (phishing sequence)
let DeviceCodeEvents = SigninLogs
    | where AuthenticationProtocol == "deviceCode" and ResultType == 0
    | project UserId, UserPrincipalName, SignInTime = TimeGenerated;
EmailEvents
| where EmailDirection == "Inbound"
| join kind=inner DeviceCodeEvents on $left.RecipientObjectId == $right.UserId
| where SignInTime between (TimeGenerated .. datetime_add('hour', 2, TimeGenerated))
| project EmailTime = TimeGenerated, SignInTime, UserPrincipalName, 
    SenderAddress, Subject, UrlCount
```
 
### KQL — AiTM Session Token Replay Detection
 
```kql
// Detect session token used from a different IP than initial authentication
let InitialAuth = SigninLogs
    | where ResultType == 0
    | project UserId, CorrelationId, InitialIP = IPAddress, InitialTime = TimeGenerated;
SigninLogs
| where ResultType == 0
| join kind=inner InitialAuth on UserId, CorrelationId
| where IPAddress != InitialIP
| where TimeGenerated > InitialTime
| project TimeGenerated, UserPrincipalName,
    OriginalIP = InitialIP, ReplayIP = IPAddress,
    MinutesDelta = datetime_diff('minute', TimeGenerated, InitialTime)
| where MinutesDelta < 60
```
 
### Sigma Rule — Tycoon2FA LCG Fingerprint
 
```yaml
title: Tycoon2FA LCG Cryptographic Constants in Web Traffic
id: t2fa-001-lcg-constants
status: experimental
description: >
  Detects Tycoon2FA's stable LCG constants (9301/49297/233280) in proxy traffic.
  These constants have remained unchanged across all observed deployments,
  including pre- and post-March 2026 takedown variants.
author: SOC Team
date: 2026/05/26
references:
  - https://abnormal.ai/blog/tycoon2fa-post-takedown-rebuild
logsource:
  category: proxy
detection:
  selection_param:
    c-uri-query|contains: 'bltpg'
  condition: selection_param
falsepositives:
  - None expected (bltpg is Tycoon2FA-specific)
level: high
tags:
  - attack.credential_access
  - attack.t1557
  - attack.t1528
  - attack.defense_evasion
  - attack.t1027
```
 
---
 
## Expert Assessment
 
**On the failure mode of infrastructure-only takedowns:**
 
The March 2026 operation was large in scale — 330 domains across six jurisdictions, coordinated by Europol under the CIEP framework. The result was a 75% reduction in campaign volume for exactly two days. This is not a criticism of the operation; it is a description of how mature PhaaS platforms are architected.
 
Tycoon2FA's operational value does not live in its domains. It lives in its **LCG constants, its seven-stage delivery chain, its subscriber base, and the operational knowledge of its 2,000 customers**. The March 4 operation successfully disrupted Cloudflare-hosted infrastructure. Operators responded by migrating kill switch infrastructure to BunnyCDN and registered fresh domains. Total adaptation time: less than three weeks to full operational recovery.
 
**On device code phishing as a category shift:**
 
AiTM phishing in its traditional form requires the victim to interact with a convincing fake login page. Defenders can train users to check URLs, deploy anti-phishing browser extensions, or use FIDO2/passkey authentication to make credential theft irrelevant.
 
Device code phishing eliminates the fake page entirely. The victim visits `microsoft.com`. They enter a real code. MFA fires and completes. Nothing in their experience signals compromise. The attack vector is now **socially engineered OAuth consent**, not credential theft. This requires a fundamentally different defensive response.
 
The fact that Kali365 and EvilTokens — both emerging in 2026 — have also adopted device code phishing confirms this is a category-level shift in PhaaS capability, not a Tycoon2FA-specific innovation.
 
**On the stable cryptographic fingerprint:**
 
The LCG constants (9301 / 49297 / 233280) represent Tycoon2FA's single greatest operational weakness. Across every known variant, every infrastructure generation, every post-takedown rebuild — these constants remain unchanged. As long as operators maintain backward compatibility in their kit, defenders have a reliable cross-infrastructure detection signal. The `bltpg` POST parameter serves the same function: a stable artifact that persists through infrastructure rotations.
 
Defenders should anchor detection on these stable signals, not on IOCs (domains, IPs) that change with every rebuild cycle.
 
---
 
## Recommendations
 
### Immediate (0–24h)
 
- **Restrict OAuth Device Code flow** in Conditional Access if there's no legitimate business need:
  ```
  Azure AD → Conditional Access → New Policy
  Users: All users | Cloud apps: All cloud apps
  Conditions: Authentication flows → Device code flow → Yes
  Grant: Block
  ```
- **Block known IOCs** — domains `founiodrai[.]digital`, `ziostohou[.]digital`, `criopiochio[.]ru` at DNS/proxy/firewall layer.
- **Hunt `bltpg=` in proxy/WAF logs** — POST requests containing this parameter are Tycoon2FA-specific. No legitimate application uses this parameter.
### Short-term (1–7 days)
 
- **Deploy the KQL detection rules** for device code phishing, AiTM session replay, and the kill switch domain hunt into Sentinel.
- **Enable Token Protection (Token Binding)** for Microsoft 365 — prevents captured tokens from being replayed from a different device or location.
- **Audit Sign-in Logs** for `authenticationProtocol == "deviceCode"` over the past 30 days — investigate any device code authentication that followed an inbound email from an unknown sender.
- **User awareness update:** Specifically train users on device code phishing lures — the voicemail notification template, the instruction to visit `microsoft.com/devicelogin`, and why they should verify what they're authorizing before entering any device code.
### Long-term
 
- **Zero Trust authentication posture:** Move toward treating every authentication flow — including Microsoft's "legitimate" ones — as requiring context validation. Device code authentication from an unmanaged device in an unusual location should require step-up verification.
- **Build stable-signal detection, not IOC-chasing:** Anchor SIEM rules on the LCG constants and `bltpg` parameter, not on domain or IP-based IOCs that rotate with each infrastructure rebuild.
- **Periodic threat hunt hypothesis:** "Did any user perform a device code authentication within two hours of clicking an external email link?" Run this hunt monthly.
---
 
## References
 
1. [Abnormal AI — Tycoon2FA Rebounds Post-Takedown with 6 Layers of Obfuscation](https://abnormal.ai/blog/tycoon2fa-post-takedown-rebuild)
2. [BleepingComputer — Europol-coordinated action disrupts Tycoon2FA phishing platform](https://www.bleepingcomputer.com/news/security/europol-coordinated-action-disrupts-tycoon2fa-phishing-platform/)
3. [BleepingComputer — Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing](https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/)
4. [BleepingComputer — Tycoon2FA phishing platform returns after recent police disruption](https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-platform-returns-after-recent-police-disruption/)
5. [eSentire TRU — Tycoon 2FA Operators Adopt OAuth Device Code Phishing](https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing)
6. [Microsoft On the Issues — How a global coalition disrupted Tycoon 2FA](https://blogs.microsoft.com/on-the-issues/2026/03/04/how-a-global-coalition-disrupted-tycoon/)

