The Darcula phishing-as-a-service (PhaaS) platform has reportedly stolen 884,000 credit cards through SMS phishing campaigns that reached 13 million users worldwide. This extensive cyber heist occurred over a seven-month period between 2023 and 2024, as revealed by an in-depth investigation led by researchers from NRK, Bayerischer Rundfunk, Le Monde, and the security firm Mnemonic.
With over 600 cybercrime operators employing the Darcula platform, the operation has quickly gained notoriety for its ability to spoof well-known brands. Utilizing 20,000 deceptive domains, the Darcula service targets Android and iPhone users across more than 100 countries, sending texts that often masquerade as road toll fines or package notifications. This innovative approach to phishing has made it a significant threat in the cybersecurity landscape.
Netcraft researchers first noted the alarming rise of Darcula in March 2024, highlighting its unique capability to employ RCS and iMessage for phishing attacks, which has rendered these fraud efforts significantly more effective than traditional SMS methods. By February 2025, Darcula had evolved further, enabling operators to auto-generate phishing kits for any brand, while incorporating new stealth features and tools for enhancing fraudulent activities.
The investigation by Mnemonic unveiled the powerful toolkit ‘Magic Cat,’ which supports the Darcula operation. Additionally, researchers infiltrated associated Telegram groups, discovering evidence that links the operation to a 24-year-old Chinese individual believed to be affiliated with a company behind Magic Cat. While the company has repeatedly claimed it has no ties to these fraudulent activities, their acknowledgment of Magic Cat’s role in phishing presents a cloudy picture of responsibility.
NRK’s findings emphasize the organized nature of Darcula operators, who communicate mainly in Chinese and leverage SIM farms to conduct mass texting campaigns. Shared information from the investigation has been forwarded to relevant law enforcement authorities in hopes of curbing this global scam.