Incident Report: Resurgent Phishing & Account Takeover (ATO) Campaign

1. Executive Summary

This report documents a coordinated phishing campaign targeting Bluesky users through compromised high-follower accounts. Despite the global disruption of the Tycoon 2FA PhaaS platform on March 4, 2026, new infrastructure has emerged leveraging similar Adversary-in-the-Middle (AiTM) tactics. The goal is the theft of session tokens to bypass Multi-Factor Authentication (MFA) and expand the botnet.

2. Infrastructure Provenance

Analysis of the underlying hosting and registration services reveals a "bulletproof" hosting strategy designed to resist standard takedown requests.

Domain: bsky-giveawey.app

• Registrar: NameSilo, LLC (Commonly used by PhaaS operators for low-friction registration).
• Hosting Provider: AlexHost (Moldova). Known as a "bulletproof" host that often ignores DMCA and abuse reports from Western entities.
• Technical Lure: Typosquatting. Leverages HSTS preloading on the .app TLD to display a valid SSL/TLS certificate, creating a "False Trust" indicator.

Domain: bsky-gift.sbs

• Registrar: Sarek Oy (Associated with privacy-focused, high-anonymity registrations).
• Hosting Provider: Stark Industries Solutions (VPS). Often utilized by Storm-1747 (the group behind Tycoon 2FA) for proxying malicious traffic.
• Technical Lure: Keyword squatting on a low-reputation TLD (.sbs). This domain functions as a failover redirector.

3. Behavioral Analysis (ATO Indicators)

The campaign utilizes a "Dormant-to-Active" pivot.

• Subject Account A (@truthseekeronly.bsky.social): 28 days of dormancy followed by immediate high-frequency promotion of phishing domains.
• Subject Account B (@cathyhadenough.bsky.social): High-impact account (10k+ followers). The pivot occurred 3 days ago, shifting from organic political commentary to generic Web3 lures. This is a 100% confidence indicator of Account Takeover (ATO).

4. The AiTM Attack Vector

Unlike simple credential harvesting, these sites function as a reverse proxy. When a user "logs in," the site intercepts the Session Cookie in real-time. This allows the attacker to maintain access even if the user has MFA enabled, as the session is already authenticated.

5. Indicators of Compromise (IoCs)

• Domains: bsky-giveawey[.]app, bsky-gift[.]sbs
• Lure Keywords: "Community Rewards," "Testing tokens," "Bluesky Gift"
• Associated IP Space: 193.160.213.x (AlexHost range), 45.133.x.x (Stark Industries range)

6. Recommendations

• Revoke App Passwords: Users who interacted with these links should immediately delete all App Passwords in Settings.
• Labeler Integration: Community moderators are encouraged to add these domains to "Spam" and "Scam" labeling services on the AT Protocol.