# Tycoon 2FA Phishers Shift Tactics: Device Code Phishing Emerges as New Threat Vector


As security defenses against traditional phishing attacks have strengthened, the threat landscape continues to evolve. A notable shift has been detected among actors known as "Tycoon," a phishing-for-hire group, who have abandoned their previous two-factor authentication (2FA) interception strategies in favor of a more sophisticated approach: device code phishing. This tactical pivot represents a concerning development in account takeover attacks, exploiting legitimate authentication flows that many organizations have yet to fully secure.


## The Threat: Device Code Phishing Explained


Device code phishing represents a departure from conventional phishing and 2FA bypass techniques. Rather than attempting to intercept or manipulate SMS or time-based one-time passwords (TOTP), attackers now exploit the device code authentication flow—a feature designed to streamline login for devices without traditional browsers, such as smart TVs, IoT devices, and headless applications.


In this attack scenario, victims are deceived into visiting a legitimate-looking website or clicking on a malicious link that mimics their target service's authentication interface. The victim is prompted to enter a code displayed on their screen into a device code authorization page. What the victim doesn't realize is that they're actually authorizing the attacker's device to access their account.


The attack flow typically follows this pattern:

  • Attacker initiates a device code login flow on the legitimate service
  • Victim receives a phishing message with a URL or code prompt
  • Victim unknowingly authorizes the attacker's device
  • Attacker gains full account access, bypassing 2FA entirely
  • Attacker establishes persistent access before the victim realizes the compromise

    • ## Background and Context: The Tycoon Evolution


    Tycoon has operated as a phishing-for-hire operation, monetizing account takeover attacks by selling access to compromised accounts on the dark web. The group has historically focused on targeting high-value accounts across multiple sectors, including technology companies, financial institutions, and SaaS platforms.


    Previously, Tycoon's success relied on intercepting authentication tokens and bypassing 2FA mechanisms through various techniques:

  • Session token theft via malicious browser extensions or credential-stealing malware
  • SMS interception and SIM swapping
  • 2FA bypass services that operated on dark web marketplaces
  • Phishing pages designed to harvest credentials and TOTP codes simultaneously

    • As organizations deployed stronger security measures—including hardware security keys, biometric authentication, and improved 2FA detection mechanisms—Tycoon's traditional methods became less reliable. This forced the group to adapt or face declining profitability.


    The shift to device code phishing suggests several tactical advantages for attackers:

  • Lower detection risk: Device code flows are legitimate authentication mechanisms, making malicious activity harder to distinguish from normal behavior
  • 2FA circumvention: The attack bypasses 2FA entirely by exploiting the authorization flow itself rather than attempting to steal factors
  • Persistence: Unlike temporary session hijacking, device code authorization can provide long-term account access
  • Plausible deniability: Victims may struggle to prove unauthorized access if the authorization appears to have come from a legitimate flow

    • ## Technical Details: How Device Code Phishing Works


    To understand the severity of this threat, it's important to examine the device code flow and its vulnerabilities.


    ### The Legitimate Device Code Flow


    The OAuth 2.0 Device Authorization Grant was designed to solve a real problem: enabling authentication on devices without traditional web browsers. The flow works as follows:


    1. Device requests an authorization code from the authentication server

    2. Server generates a device code and user code

    3. Device displays the user code to the victim

    4. Victim visits the authorization endpoint on a web browser and enters the user code

    5. Victim approves the device

    6. Device polls the server and exchanges the device code for access tokens


    This flow is legitimate and widely implemented by major cloud providers, streaming services, and enterprise platforms.


    ### The Attack Vector


    Attackers exploit this flow through social engineering:


    | Step | Legitimate User | Attacker |

    |------|---|---|

    | Initiation | User logs in on their device | Attacker initiates device code flow for their own account |

    | User Code Display | Device shows unique code | Attacker sends phishing message to victim with user code |

    | Authorization | User enters code on official website | Victim enters code (thinking they're logging into their own account) |

    | Authorization Grant | User approves device | Victim unknowingly approves attacker's device |

    | Token Exchange | Device receives tokens | Attacker's device receives valid access tokens |

    | Result | User logs into their own device | Attacker gains account access |


    The effectiveness of this attack lies in its social engineering component. If the phishing page is well-crafted and the victim is in a hurry or suspicious, they may blindly enter the code without examining the URL carefully.


    ## Why This Matters: Implications for Organizations


    The rise of device code phishing presents several concerning implications:


    ### 1. Expanding Attack Surface

    Organizations that have hardened their traditional authentication mechanisms now face attacks through alternative authentication flows. Device code authorization is often less scrutinized than primary login attempts, creating a blind spot in security monitoring.


    ### 2. Account Takeover at Scale

    Device code phishing enables attackers to compromise accounts without requiring:

  • Password knowledge
  • Interception of authentication factors
  • Social engineering of support teams
  • Malware installation
  • SIM swapping or phone access

    • This dramatically lowers the technical barrier for account takeover attacks.


    ### 3. Persistent Access

    Unlike token theft, device authorization grants long-term credentials. An attacker with an authorized device can maintain access even after the victim changes their password, reset their authenticator, or reviews their active sessions—if the legitimate user doesn't specifically revoke the unauthorized device.


    ### 4. Detection Challenges

    Most users don't regularly audit their authorized devices. An attacker-controlled device authorization may go unnoticed for weeks or months, providing an extended window for data theft, lateral movement, or privilege escalation.


    ### 5. Cascading Compromise

    Account takeover is often just the first step. Attackers use compromised accounts to:

  • Access sensitive data and intellectual property
  • Establish persistence in enterprise environments
  • Launch targeted phishing against other users
  • Abuse trust relationships with customers or partners

    • ## Recommendations: Defense and Detection


    Organizations and individuals should implement layered defenses to mitigate device code phishing risk:


    ### For Organizations


  • Monitor device authorizations: Audit authorized devices regularly and alert users to new authorizations they didn't initiate
  • Implement risk-based access controls: Require additional verification (email confirmation, biometric re-authentication) when new devices request authorization
  • Educate users: Training should emphasize the legitimacy of device code flows and the importance of verifying context before authorization
  • Restrict device code flows: Disable device authorization for sensitive applications if the business case doesn't justify the risk
  • Log and alert: Generate detailed logs of device code requests, authorizations, and token exchanges; alert on suspicious patterns

    • ### For Users


  • Verify URLs: Before entering a user code, manually navigate to the official login page of the service rather than clicking links in emails or messages
  • Audit authorized devices: Regularly review your account settings for authorized devices and remove any you don't recognize
  • Use strong passwords and 2FA: While device code phishing bypasses 2FA, strong authentication still protects against other compromise vectors
  • Be skeptical of unexpected prompts: If you receive an unexpected code or authorization prompt, do not proceed without independently verifying the request
  • Enable advanced security features: Use hardware security keys where available, as they provide stronger protection against account takeover

    • ## Conclusion


    The Tycoon group's pivot to device code phishing underscores a fundamental principle in security: attackers follow the path of least resistance. As defenses strengthen against traditional attacks, new vulnerabilities emerge. Device code phishing is likely not the last tactic to exploit legitimate authentication mechanisms.


    Organizations that have invested heavily in securing passwords and 2FA should not consider their account security complete. A holistic approach—including device authorization monitoring, user education, and risk-based controls—is necessary to defend against the evolving threat landscape. As phishing-for-hire operations continue to adapt, so too must the defenses that protect our accounts and data.