NoMorePhish/Tycoon2FADomains

Tycoon2FA Malicious Domains Tracker

A curated list of malicious domains and subdomains used in the Tycoon 2FA Phishing Campaign. This repository aims to support the security community by providing a centralized location for tracking and analyzing domains used in these attacks.

🚨 About Tycoon 2FA

Tycoon 2FA is a sophisticated phishing-as-a-service (PhaaS) platform known for targeting enterprise users and bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AitM) techniques. Attackers behind Tycoon 2FA deploy phishing pages that mimic legitimate login portals (e.g., Microsoft 365, Google Workspace) and use proxy-based interception to capture credentials and session tokens.

📂 TLD's

• .com.de

• .za.com

• .it.com

• .es

• .ru

• .info

• .com

• .sa.com

• .co.za

• .live

• .ru.com

• .email

• .co.im

• .solutions

• .in

• .cloud

• .company

• .web.id

• .ceo

• .biz.pl

• .work

• .works

• .com.co

• .us

• .biz.id

• .enterprises

• .dev

• .pro

• .one

• .sarl

• .insecure

• .ink

• .autos

• .insure

• .vision

• .business

• .builders

• .ltd

• .contractors

🆕 Tycoon 2FA Infrastructure Updates

📅 April 2025

• 🔐 Introduced Base64 encoding to obfuscate the full path of phishing URLs.

📅 May 2025

• 🛡️ Integrated AES encryption within the codebase.
• 🌐 All subdomains now redirect victims to the phishing page.

📅 June 2025

• 🧠 Enhanced logic: only subdomains with a length greater than 2 trigger redirection.

🔗 Twitter Post

• 🔄 Switched from AES to RC4 encryption for improved evasion techniques.

🔗 Twitter Post

• 🔁 Switched from RC4 back to AES encryption.

🔗 Twitter Post

📅 April 2026

• 🔁 Switched from Cloudflare to Colocrossing.
• 🧠 Phishing Page Placed directly on the Primary Domain.

🔗 Twitter Post