Open to Non-MembersJoin RH-ISAC for a threat briefing about the latest intel on observed incidents and emerging threats relevant to the retail and hospitality community, as well as mitigation or response techniques. This month’s briefing includes insights from Cloudflare.
Bypassing the Gatekeepers: A Deep Dive into Tycoon2FA’s AiTM Tactics
As retail and hospitality organizations strengthen their digital perimeters with Multi-Factor Authentication (MFA), adversaries have pivoted to sophisticated Adversary-in-the-Middle (AitM) techniques to maintain access. Leading this shift is Tycoon2FA, a prolific Phishing-as-a-Service (PaaS) platform that has democratized the ability to bypass modern authentication challenges at scale.
In this brief, Cloudforce One will unpack the technical architecture of Tycoon2FA, detailing how it leverages reverse proxies to intercept session tokens in real-time, effectively rendering traditional MFA ineffective. We will examine the operational lifecycle of the kit—from its distribution via Telegram to its stealthy evasion techniques—and discuss why it has become a preferred tool for attackers targeting high-value financial credentials. Finally, we will share the “behind-the-scenes” of the Cloudforce One investigation that led to a global disruption of the Tycoon2FA infrastructure.
