DNSFilter Research Warns Tycoon 2FA Expanding Phishing-as-a-Service Operation

65 root domain indicators of compromise identified in growing campaign

WASHINGTON, D.C. – July 8, 2025 – DNSFilter researchers have discovered that the Tycoon 2FA phishing-as-a-service (PhaaS) platform has significantly expanded its operations, including surging use of Spanish (.es) domains. This expansion marks a strategic evolution in Tycoon 2FA’s infrastructure design, demonstrating enhanced obfuscation techniques and highly targeted subdomain usage patterns. Understanding this shift is critical for defenders aiming to disrupt these operations, as traditional detection methods may fail against such ephemeral and compartmentalized infrastructure.

Tycoon 2FA is a sophisticated PhaaS platform that has been active since August 2023, specializing in adversary-in-the-middle attacks to bypass multi-factor authentication. Tycoon 2FA's infrastructure strategy relies on short-lived, burnable Fully Qualified Domain Names (FQDNs) hosted on longer-lived root domains, creating a two-tier system.

DNSFilter’s researchers analyzed 11,343 unique FDQNs and found:

• Coordinated surge in Spanish domain infrastructure – 13 .es domains were activated simultaneously on April 7, and researchers have seen sustained activity using .es domains through June.

• Enhanced obfuscation techniques –Tycoon 2FA continues to refine its evasion methods, using tactics like nested encoding schemes that go deep within encrypted blobs and implementation of Base91 encoding alongside traditional Base64.

• Evidence of target-specific subdomain operations – Tycoon 2FA is likely using this approach, which entails creating or identifying subdomains within a larger domain name specifically tailored to a particular purpose, audience or target. Among the evidence of this is that 99.6% of subdomains received fewer than 10 total DNS queries. 

DNSFilter researchers also identified 65 root domain indicators of compromise (IOCs), which will help network defenders implement more effective blocking strategies. Read the team’s full findings here →

Will Strafach, Head of Security Intelligence & Solutions, DNSFilter, said: “Our research underscores the fact that bad actors continue to evolve their methods and become more sophisticated. Our research into Tycoon 2FA gives enterprise security teams actionable intelligence to enhance threat detection and reduce dwell time by focusing on persistent root domains. To stay safer amid this surge, organizations need to implement wildcard domain blocking for all 65 root domains that DNSFilter found and monitor for subdomain pattern matching.”

About the company:

DNSFilter is a cybersecurity company that protects every click, leveraging AI-driven content filtering and threat protection to block threats 10 days earlier than competitors. DNSFilter’s solution secures workers anywhere they are, helping to boost productivity, minimize compliance risk, and protect corporate brands on public Wi-Fi networks. Unlike traditional filtering solutions, DNSFilter deploys in minutes instead of days and is trusted by more than 43,000 organizations worldwide. Learn more about how DNSFilter is the first and last line of defense for corporate and hybrid networks at dnsfilter.com.

Media Contact

Shannon Van Every

Force4 Technology Communications

Shannon@force4.co