The Darcula phishing-as-a-service (PhaaS) platform stole 884,000 bank cards from 13 million clicks on malicious hyperlinks despatched through textual content messages to targets worldwide.
The cyber heist was accomplished over seven months between 2023 and 2024, so it doesn’t replicate the full quantity the cybercrime platform has helped to steal.
These numbers come from coordinated analysis by investigators from NRK, Bayerischer Rundfunk, Le Monde, and Norwegian safety agency Mnemonic, who recognized 600 operators (cybercrime purchasers) and the platform’s essential creator and vendor.
Darcula’s fast rise
Darcula is a PhaaS platform that targets Android and iPhone customers in over 100 nations utilizing 20,000 domains that spoof well-known manufacturers, aiming to steal individuals’s account credentials.
These SMS phishing texts generally faux to be highway toll fines or package deal transport notifications that embrace hyperlinks to phishing websites.
Netcraft researchers, who had been the primary to spotlight the rising risk in March 2024, famous that Darcula was set other than related cybercrime companies through its potential to make use of RCS and iMessage as an alternative of SMS, which made its assaults simpler.
In February 2025, the identical researchers reported that Darcula had undergone a major evolution, now permitting operators to auto-generate phishing kits for any model, whereas additionally implementing new stealth options, a bank card to digital card converter, and a simplified admin panel.
In April 2025, Netcraft noticed the introduction of generative AI in Darcula, permitting cybercriminals to craft customized scams with the assistance of LLM instruments in any language and for any matter.
Supply: Mnemonic
Lifting the lid
Mnemonic’s investigation, which concerned reverse-engineering the phishing infrastructure, led to the invention of a strong phishing toolkit named ‘Magic Cat,’ which is the spine of the Darcula operation.
The researchers additionally infiltrated the Telegram group related to the Darcula operation, uncovering pictures of SIM farms, modems, and proof of lavish existence financed by the scams.
Via OSINT work and passive DNS evaluation, they traced the operation’s digital footprints to a Chinese language particular person and a GitHub developer account, amongst different issues.
NRK claims the person is a 24-year-old from Henan, China, linked to an organization that’s believed to have created Magic Cat.
A spokesperson of the agency advised the press that Yucheng was a former worker, and denied any involvement in fraud, claiming that it solely sells “website-creation software program.”
NRK notes that, though the corporate acknowledged that Magic Cat is used for phishing, and claimed they might shut it down, a brand new model was launched.
In a separate put up, NRK reveals about 600 particular person scammers utilizing Darcula to steal cost card data from victims globally, with 884,000 playing cards captured worldwide.
Operators are organized into closed Telegram teams, which NRK monitored for over a yr, discovering that almost all talk in Chinese language and run SIM farms and {hardware} setups to ship mass textual content messages and course of stolen playing cards through terminals.
NRK’s report highlights operators with very excessive volumes of malicious visitors facilitated by Darcula, together with a Thai-based person, ‘x66/Kris,’ who seems to be excessive within the hierarchy.
All data the researchers and investigators gathered was shared with the relevant regulation enforcement authorities.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how you can defend in opposition to them.
