What Is Sneaky 2FA?

Sneaky 2FA is an emerging Adversary-in-the-Middle (AiTM) phishing kit operating as a Phishing-as-a-Service (PhaaS) platform distributed primarily through Telegram channels by the operator "Sneaky Log." First detected in the wild in December 2024 with active campaigns dating to October 2024, Sneaky 2FA targets Microsoft 365 accounts by harvesting credentials and session cookies to bypass multi-factor authentication. The platform distinguishes itself from competing PhaaS offerings through a licensed source code distribution model where customers receive obfuscated code for independent deployment rather than accessing centralized infrastructure, reducing operator liability while distributing operational risk to customers.

According to Centripetal.ai analysis from January 2025, Sneaky 2FA captured 3% of the PhaaS market, competing against Tycoon 2FA's dominant 89% share and EvilProxy's 8% position. By August 2025, Sneaky 2FA's market penetration had grown modestly to 4.41% while Tycoon 2FA solidified dominance at 95.59%, according to updated Centripetal analysis. At $200 per month, Sneaky 2FA positions itself as a budget-friendly alternative to platforms like Mamba 2FA ($250/month) and Tycoon 2FA ($250/month), potentially appealing to cost-conscious or entry-level threat actors despite offering more limited functionality than premium competitors.

How Does Sneaky 2FA Work?

Sneaky 2FA operates through a Telegram bot interface managed by the "Sneaky Log" cybercrime group. Threat actors purchase subscriptions through this bot, receive licensed and obfuscated source code, and deploy the phishing infrastructure on independently sourced hosting. This distribution model differs from centralized PhaaS platforms that provide managed infrastructure, instead requiring customers to procure hosting services and configure phishing pages themselves using the provided codebase.

When victims visit Sneaky 2FA phishing URLs, they encounter fake Microsoft 365 login pages featuring blurred background images that mimic legitimate Microsoft interfaces. According to Sekoia.io analysis published in December 2024, these blurred backgrounds serve multiple purposes: reducing file size for faster page loading, obfuscating specific UI details that might reveal the page as fraudulent upon close inspection, and creating visual legitimacy through recognizable Microsoft design elements. The blurring technique represents a deception tactic that balances authenticity with operational security, as unblurred screenshots might expose sensitive Microsoft interface details or create copyright liability.

The AiTM architecture positions phishing pages as proxies between victim browsers and Microsoft's legitimate authentication servers. When victims enter credentials, Sneaky 2FA captures both the username and password and the session tokens and MFA cookies issued after successful authentication. According to Sekoia.io technical analysis, credentials are exfiltrated to attackers via Telegram bot notifications in real-time, enabling rapid account access while session tokens remain valid. This real-time exfiltration allows attackers to begin exploitation within minutes of successful phishing, maximizing the value of short-lived session tokens.

Sneaky 2FA implements sophisticated bot verification to evade security vendor analysis. According to Sekoia.io reporting, the platform detects and redirects automated scanners, data center IP addresses, VPN connections, and proxy traffic to Wikipedia pages rather than displaying phishing content. This anti-reconnaissance capability frustrates security researchers attempting to analyze phishing infrastructure and prevents automated threat intelligence systems from cataloging page characteristics. Only traffic originating from residential IP addresses and exhibiting human browsing patterns encounters actual credential harvesting forms, complicating defensive intelligence gathering.

The licensed source code distribution model provides customers with obfuscated code that obscures the underlying implementation details while enabling deployment customization. According to Sekoia.io analysis, this approach reduces operator liability by distributing infrastructure control to customers who assume responsibility for hosting and campaign execution. If law enforcement identifies and seizes customer infrastructure, the impact remains limited to individual customers rather than affecting the entire platform. This distributed architecture contrasts with centralized platforms like Rockstar 2FA where infrastructure collapse simultaneously affected all customers.

How Does Sneaky 2FA Differ From Other Phishing Platforms?

The comparison reveals Sneaky 2FA as a budget-tier entrant competing in a market dominated by Tycoon 2FA. According to Centripetal.ai analysis from January and August 2025, Tycoon 2FA maintained and strengthened dominance throughout 2025, growing from 89% to 95.59% market share while Sneaky 2FA achieved only modest growth from 3% to 4.41%. This marginal improvement suggests limited competitive differentiation and difficulty displacing established platforms despite cost advantages.

The licensed source code distribution model represents Sneaky 2FA's primary differentiator. While competitors like Mamba 2FA, Tycoon 2FA, and Rockstar 2FA provided managed infrastructure where customers accessed centralized phishing services, Sneaky 2FA customers receive obfuscated code to deploy independently. According to Sekoia.io analysis from December 2024, this model reduces operator infrastructure costs and liability exposure while requiring customers to possess greater technical sophistication for deployment and maintenance. The tradeoff favors operators seeking to minimize operational footprint but may limit customer acquisition among less technically skilled threat actors.

Sneaky 2FA's pricing at $200 monthly undercuts Mamba 2FA and Tycoon 2FA by $50 per month, potentially appealing to budget-conscious attackers. However, according to Centripetal analysis, this price advantage has not translated into substantial market share gains, suggesting that customers prioritize functionality, reliability, and operational support over minor cost savings. The correlation between lower price and smaller market share indicates that PhaaS customers value proven effectiveness and established reputation more than marginal pricing benefits.

The approximately 100 identified Sneaky 2FA phishing domains documented by Sekoia.io as of early January 2025 provides scale context. This domain count represents individual customer deployments rather than centralized infrastructure, as the licensed code model distributes hosting across customers. The relatively small domain footprint compared to high-volume platforms suggests limited customer adoption consistent with the 3-4% market share figures.

Why Does Sneaky 2FA Matter?

Sneaky 2FA demonstrates the continued entry of new competitors into an increasingly saturated PhaaS market despite dominance by established platforms. The platform's December 2024 discovery and documented campaign activity from October 2024 indicates that threat actors continue developing and launching new PhaaS offerings even in markets with clear incumbents. According to Centripetal.ai and Sekoia.io analysis, this pattern suggests low barriers to entry for PhaaS development and sustained demand from threat actors seeking alternatives to established platforms for reasons including cost sensitivity, feature preferences, or desire to evade detection signatures associated with popular platforms.

The licensed source code distribution model represents an operational innovation with implications for law enforcement disruption strategies. Traditional PhaaS platforms operate centralized infrastructure vulnerable to single-point-of-failure takedowns through domain seizure, hosting provider cooperation, or backend server compromise. According to Sekoia.io analysis from December 2024, Sneaky 2FA's distributed architecture where customers deploy independent infrastructure complicates disruption efforts. Law enforcement must target individual customer deployments rather than central operator infrastructure, requiring substantially greater resources and international coordination. This distributed model may represent a future evolution in PhaaS architectures as operators adapt to law enforcement disruption capabilities.

Sneaky 2FA's market performance provides insights into customer preferences and competitive dynamics in the PhaaS ecosystem. Despite offering lower pricing than established competitors, Sneaky 2FA achieved only 3-4% market share according to Centripetal.ai analysis from 2025, indicating that price sensitivity plays a limited role in platform selection compared to factors like reliability, feature breadth, and operational support. According to Infosecurity Magazine reporting from 2025, the dominance of Tycoon 2FA at 95.59% by August 2025 demonstrates strong network effects and switching costs in PhaaS markets, where established platforms benefit from accumulated reputation, extensive template libraries, and proven operational track records that new entrants struggle to match.

The platform's obfuscated code licensing model introduces risks for both operators and customers. According to Sekoia.io analysis, licensing obfuscated code to customers increases the probability that leaked samples will be reverse-engineered and shared within the threat actor community or analyzed by security researchers. If code samples are widely distributed, the obfuscation provides only temporary protection before researchers decode the implementation and develop detection signatures. This model may offer short-term operational security but creates longer-term sustainability challenges as code dissemination expands beyond paying customers.

What Are the Limitations of Sneaky 2FA?

Limited Feature Set Compared to Competitors

Sneaky 2FA provides basic AiTM credential and session token harvesting without advanced customization options available from platforms like Tycoon 2FA or Mamba 2FA. According to Centripetal.ai and Sekoia.io analysis from 2024-2025, the platform offers fundamental phishing capabilities sufficient for standard Microsoft 365 targeting but lacks specialized features including multi-platform support, advanced evasion techniques, or sophisticated analytics dashboards. This limited functionality constrains Sneaky 2FA's appeal to threat actors conducting complex campaigns or requiring extensive customization, likely contributing to the platform's modest 3-4% market share compared to feature-rich competitors.

Code Licensing Exposure Risks

The obfuscated source code distribution model creates risks that licensed code will be leaked, shared among threat actors, or obtained by security researchers for analysis. According to Sekoia.io analysis from December 2024, once code samples are available outside the paying customer base, researchers can reverse-engineer the obfuscation to understand implementation details and develop detection signatures. This exposure accelerates defensive signature development and reduces the platform's operational effectiveness. Commercial software vendors address this risk through license enforcement, telemetry, and legal remedies unavailable to criminal operations, leaving Sneaky 2FA vulnerable to code dissemination beyond paying customers.

Telegram Bot Single Point of Failure

Sneaky 2FA's reliance on Telegram bot infrastructure for customer distribution and credential exfiltration creates vulnerability if the Sneaky Log operator's Telegram accounts are suspended. According to Sekoia.io reporting, Telegram provides the primary interface for customer acquisition, technical support, and real-time credential delivery. If Telegram responds to abuse reports by suspending operator accounts, the entire customer communication infrastructure fails. While customers with previously deployed code could continue operations, new customer acquisition, support provision, and credential exfiltration functionality would require infrastructure reconstruction on alternative platforms.

Small Market Share Indicates Limited Adoption

Sneaky 2FA's 3% market share in January 2025 growing only to 4.41% by August 2025 demonstrates difficulty competing against established platforms. According to Centripetal.ai analysis, Tycoon 2FA's dominance at 95.59% by August 2025 indicates strong customer preference for proven platforms with extensive track records. This market concentration suggests that Sneaky 2FA faces substantial challenges achieving significant adoption beyond a small niche of cost-conscious customers or threat actors seeking alternatives to mainstream platforms. Limited market share constrains revenue generation and may affect sustainability of continued platform development and support.

Recent Market Entry Without Established Reputation

Sneaky 2FA's December 2024 discovery and October 2024 first campaigns indicate a new market entrant without established operational history. According to Sekoia.io and Infosecurity Magazine analysis from 2024-2025, PhaaS customers increasingly value proven reliability, responsive technical support, and demonstrated longevity when selecting platforms. New entrants like Sneaky 2FA must build reputation over time through consistent operation and customer satisfaction, creating adoption barriers that established platforms do not face. This reputation gap likely contributes to Sneaky 2FA's limited market penetration despite competitive pricing.

How Can Organizations Defend Against Sneaky 2FA?

Blurred Image Fingerprinting Detection

Email security gateways and web proxies should implement detection rules that identify phishing pages using obfuscated or blurred background images mimicking Microsoft user interfaces. According to Sekoia.io analysis from December 2024, Sneaky 2FA's distinctive use of blurred Microsoft interface screenshots as background elements creates detectable visual signatures. Image analysis tools can identify blur patterns, extract embedded images from HTML for comparison against known Microsoft interface screenshots, and flag pages demonstrating Sneaky 2FA's characteristic design patterns. This detection approach identifies phishing pages based on visual presentation characteristics rather than infrastructure indicators, providing resilience against domain rotation and hosting changes.

Anti-Bot Redirect Behavior Detection

Security researchers and threat intelligence platforms should implement analysis techniques that bypass Sneaky 2FA's anti-bot protections. According to Sekoia.io reporting, Sneaky 2FA detects and redirects automated scanners, data center IPs, VPN connections, and proxy traffic to Wikipedia pages rather than displaying phishing content. Sophisticated analysis requires residential IP addresses, realistic browser fingerprints, and human-like interaction patterns to trigger actual phishing page display. Organizations deploying threat intelligence should ensure their analysis infrastructure mimics legitimate user behavior to successfully identify and catalog Sneaky 2FA campaigns rather than encountering redirect evasion.

Session Token Binding and Device Compliance

Microsoft 365 administrators should implement session token binding that ties authentication tokens to specific device characteristics, preventing replayed tokens from functioning when used from different hardware. According to Microsoft Security Best Practices and Sekoia.io guidance from 2024, session binding validates that tokens are used from the same device that originally authenticated. Organizations should configure Azure Active Directory conditional access policies to enforce device compliance requirements before granting Microsoft 365 access, require managed device enrollment for accessing corporate resources, and implement device-based risk assessment that elevates risk scores for authentication from unmanaged devices.

Impossible Travel and Geographic Anomaly Detection

Security operations centers should implement real-time monitoring for impossible travel scenarios and geographic anomalies indicative of session token replay. According to Centripetal.ai and Microsoft guidance, impossible travel detection identifies authentication from geographically impossible locations within short time windows, such as user authentication from New York followed by California access five minutes later. These patterns indicate session token theft and replay rather than legitimate user activity. Organizations should configure automated response including session token revocation, forced password reset, and security team notification when impossible travel is detected.

New Device Verification and Step-Up Authentication

Organizations should require step-up authentication for logins from unregistered or new devices. According to Sekoia.io and Microsoft security guidance, Sneaky 2FA attacks often manifest as authentication from devices not previously associated with the victim's account. Conditional access policies can require additional verification including email or SMS confirmation codes, hardware security key authentication, or administrator approval when new devices attempt access. This step-up authentication disrupts automated session token replay by requiring attacker interaction and additional information beyond the stolen session token.

Passwordless Authentication Deployment

The most effective defense against Sneaky 2FA and similar AiTM platforms is eliminating credential and session token-based authentication through passwordless technologies. According to Sekoia.io and Microsoft security guidance, FIDO2 security keys and Windows Hello for Business provide cryptographic authentication that cannot be intercepted or replayed by AiTM proxies. FIDO2 keys use public-key cryptography where private keys never leave the physical security device, making credential phishing impossible. Organizations should prioritize passwordless authentication deployment for high-value accounts, administrative users, and employees with access to sensitive data, eliminating the credential and session token vulnerability that Sneaky 2FA exploits.