In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses. The exposed data also included names, phone numbers, physical addresses, purchases and partial credit card data including card type, last 4 digits and expiry date.

A hooded figure in front of a laptop. Digital symbols obscure his face and appear to be pouring out of his head

The notorious Tycoon 2FA Phishing-as-a-Service (PhaaS) platform is back, proving that even a global law enforcement takedown cannot keep cybercriminals offline for long.

Originally attributed to the threat actor Storm-1747, this adversary-in-the-middle (AiTM) kit specializes in bypassing multi-factor authentication (MFA) for Microsoft 365 and Google Workspace accounts.

Despite a massive coordinated disruption by Microsoft and Europol in March 2026, operators adapted within weeks.

By late April 2026, security researchers at eSentire observed new campaigns combining classic Tycoon tradecraft with OAuth device-code phishing, making it a persistent, top-tier threat.

Tycoon 2FA Bypasses MFA

Tycoon 2FA does not just harvest static credentials; it acts as a real-time reverse proxy between the victim and legitimate identity providers.

When a victim clicks a malicious link, they are routed through complex redirect chains to a pixel-perfect replica of a login page.

The kit proxies the actual MFA challenge to the user, capturing the resulting session token once the authentication is complete. With this stolen token in hand, attackers can completely bypass MFA and replay the minted tokens to access cloud environments.

WebSocket AiTM flow: The classic flow proxies traffic over WebSockets, capturing post-MFA session cookies in real time while maintaining a bidirectional channel to the command server.

Device-code-grant abuse: Specific to Microsoft, the kit obtains a device code from Microsoft’s endpoints and tricks the victim into verifying it through a fake lure.

Layered anti-analysis: The kit actively blocks IP addresses from cloud providers, detects security tools like Selenium, turns off right-click developer menus, and vanishes from the Document Object Model (DOM) after execution.

Infrastructure abuse: For Google Workspace targets, initial phishing lures are frequently staged on legitimate Google Cloud storage to abuse built-in reputation trust before routing to the proxy.

According to elastic research, the operational footprint of Tycoon 2FA looks completely different depending on the target.

In Microsoft environments, the kit uses a two-tier architecture comprising an automated relay for token acquisition and a human-operated console for post-compromise reconnaissance.

Attackers establish deep persistence by registering a rogue device in Entra ID and generating a Primary Refresh Token (PRT) that survives standard session revocation.

In contrast, Google Workspace attacks use a lighter, single-tier relay focused on rapidly authorizing malicious Google Chrome OAuth clients.

Technique	ID	Observable Activity
Steal Web Session Cookie	T1539	AiTM proxy captures post-MFA session tokens in real time
Device Registration	T1098.005	Kit registers a rogue device for PRT persistence in Entra ID
Cloud Service Discovery	T1526	Enumerating organization metadata, roles, and app inventory
Application Access Token	T1550.001	Token exchange across authentication broker applications

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Tycoon 2FA AiTM Kit Targets Entra ID and Google Workspace In MFA Bypass Campaigns appeared first on Cyber Security News.

The 2026 FIFA World Cup is poised to be the largest sporting event in history, but cybercriminals are already rushing the field. With millions of fans desperate for tickets across North America, a sprawling ecosystem of fraud has emerged.

Threat intelligence researchers at Group-IB have identified more than 4,300 fraudulent domains impersonating FIFA’s official web presence.

At the heart of this massive operation is a financially motivated, Chinese-speaking threat actor dubbed “GHOST STADIUM.”

Operating a highly sophisticated phishing campaign, this group is targeting fans globally with potential financial losses reaching hundreds of millions of dollars.

GHOST STADIUM Targets Fans

GHOST STADIUM does not rely on crude, obvious scams. Instead, the group has engineered a meticulously crafted phishing kit to steal credentials, personal information, and money.

This custom web application is a pixel-perfect clone of the official FIFA website, featuring authentic imagery pulled directly from FIFA’s Content Delivery Network and multi-language support across 11 languages.

The technical execution is highly advanced. The attackers successfully replicated FIFA’s official single sign-on (SSO) service, provided by PingIdentity, using legitimate client IDs.

When fans attempt to log in or buy tickets, the system captures their usernames, passwords, and sensitive contact details. The phishing kit even authorizes password resets, allowing attackers to lock users out and steal their existing legitimate tickets.

Researchers estimate that premium ticket fraud alone could cost victims between $71 million and $474 million, with total campaign losses potentially reaching into the billions as the tournament approaches.

GHOST STADIUM is not the only threat on the pitch. The investigation uncovered three additional threat actor groups and a thriving dark-web supply chain selling “Phishing-as-a-Service” (PhaaS) kits.

Together, these actors are running multiple parallel fraud schemes designed to exploit every type of football fan.

Notably, over 2,500 valid FIFA credential pairs are already circulating on dark web markets due to widespread infostealer malware infections, Group-IB said.

Fraud Scheme	Primary Objective	Victim Impact
Fake Ticket Sales	Steal high-value crypto and card payments	Heavy financial loss; stolen identity data
Credential Phishing	Capture PingIdentity SSO login details	Account takeover; stolen legitimate tickets
Counterfeit Merch	Harvest credit card numbers and addresses	Undelivered goods; data sold on carding forums

Defeating a campaign of this scale requires moving away from siloed security responses. Taking down a single domain does little when thousands more are parked and waiting.

A unified defense model, such as Cyber Fraud Fusion, is essential. This strategy combines continuous digital risk protection, threat intelligence sharing, and rapid fund interception.

By tracking shared infrastructure such as overlapping SSL certificates, Meta Pixel codes, and crypto wallets security teams can disrupt the entire campaign simultaneously, protecting fans before the opening whistle even blows.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post 300+ Fake Domains Used in GHOST STADIUM Campaign Targeting World Cup Fans appeared first on Cyber Security News.

U.S. telecommunications giant Charter Communications has confirmed it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. [...]

In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure, and subsequently published the data after negotiations allegedly failed. The published data contained 500k unique email addresses as well as names, phone numbers, physical addresses and employer information. In their disclosure to state attorneys general, Ameriprise reported 47,876 affected people; the larger email address population represents contacts from Ameriprise's broader operational systems, including internal staff. Ameriprise further advised that they have "implemented heightened monitoring of your account(s) to include enhanced identity verification procedures".