Evil Twin Attack in Wi-Fi Networks: Evolution, Mutation Taxonomy, and Exposure Time Analysis (2005–2026)

The Evil Twin attack, which involves creating rogue Wi-Fi access points that impersonate legitimate networks, remains one of the most persistent and adaptive threats in cybersecurity, despite more than two decades having passed since its first public demonstration in 2005. This paper aims to provide a comprehensive analysis of the evolution of this attack, perceived as an “invisible enemy” due to its low detectability and systematic underestimation in incident reports. The study addresses key questions: how the Evil Twin attack has evolved, how its methods and tools have changed, where it currently stands, and where it may be heading in the future. The paper compiles evidence from conference presentations, academic publications, government reports, industry analyses, and media coverage, as well as selected defense mechanisms such as WIPS, WPA3, Protected Management Frames, ETGuard, and the Trusted Wireless Environment framework. An original taxonomy of Evil Twin attack mutations is proposed, along with a ten-stage Kill Chain model ([A]–[J]) mapped onto the MITRE ATT&CK framework, an exposure time metric T_e as a key evolutionary parameter, and models quantifying attack cost-effectiveness and efficiency. The analysis demonstrates that the Evil Twin remains a persistent and adaptive threat, whose effectiveness stems from the combination of technical vulnerabilities, user trust in familiar network names, and the difficulty of unambiguous attribution and classification of incidents.