IT Security12. Mai 2026

The 2FA lie: why your account was drained even though you had the code

A technical report on session hijacking: why 2FA does not help when the session is stolen.

#2FA#Session Hijacking#Infostealer#Security
The 2FA lie: why your account was drained even though you had the code

Over 700 euros gone in 24 hours. 2FA on, strong password, SMS code on the phone. Still empty. The attacker did not steal the password. He stole the session.

Infected gaming PC

Marc Weidner, IT Technical Consultant

The attack

It started with a game mod. Admin rights during install. Classic mistake. In the background an infostealer ran: quiet, not ransomware.

Traces: DLL sideloading under ...\Destager\, WMI persistence via an SCM Event Log Filter, mass access to Windows Credential Manager (Event ID 5379).

Infection and exfiltration

Why 2FA failed

Two-factor checks the login. The attacker did not log in. He took over an existing session. Stolen cookies went into his browser. PayPal, Google, Amazon see no difference. To them he is you.

Session takeover

Fourteen charges of 51.75 euros each, new gift addresses, digital vouchers. Automated, minutes. The phone stays quiet. 2FA is not asked again.

What remains

Strong password plus 2FA does not help if you give admin rights to malware. The only fix is different behavior.

Wipe for cleanup

2FA protects login. Nobody checks what happens to the session after that.