Sekoia.io analysts conducted an in-depth analysis of the emerging Tycoon 2FA Attack-in-The-Middle (AiTM) Phishing-as-a-Service (PhaaS). Tycoon 2FA became widespread in the months following its release and is currently massively used in numerous phishing campaigns. In this FLINT, we present an in-depth analysis of Tycoon 2FA and the recent developments we spotted in the phishing kit. Additionally, this report provides tracking opportunities to actively monitor the infrastructure and mitigate risks associated with Tycoon 2FA. We also share details on our investigation of the Bitcoin transactions allegedly attributed to "Saad Tycoon Group". Related resources: * [FLINT 2024-011 - Tycoon 2FA: an in-depth analysis of the latest version and its enhanced stealth capabilities](https://app.sekoia.io/intelligence/objects/report--28516088-8ab7-4ff8-bac7-ede64a75b30d) * [Tycoon 2FA malware page](https://app.sekoia.io/intelligence/objects/malware--4e33dd1a-7b2e-4bbb-b3bc-6209309963ee)