An international investigative effort has uncovered the shocking scale of the Darcula phishing-as-a-service (PhaaS) platform, which has stolen over 884,000 credit card details from unsuspecting victims across 100+ countries. Operating from 2023 to 2024, Darcula lured users with deceptive text messages that mimicked road toll fines and shipping alerts. With more than 13 million clicks generated from these campaigns, the operation stands as one of the most widespread phishing schemes ever documented.
The investigation, led by cybersecurity firm Mnemonic along with media outlets NRK, Bayerischer Rundfunk, and Le Monde, identified around 600 cybercrime clients (operators) leveraging Darcula’s infrastructure. They used 20,000 spoofed domains to phish for credentials, aided by evolving features such as RCS/iMessage-based messaging, auto-generated phishing kits, and AI-powered scam scripting.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
The ‘Magic Cat’ Toolkit and the Chinese Connection
Central to the platform is a phishing engine known as Magic Cat, which was reverse-engineered by researchers. This toolkit powers Darcula’s capabilities, enabling seamless phishing operations that target Android and iPhone users alike. Through deep OSINT techniques, the team linked the toolkit’s origin to a Chinese developer and a company in Henan. Despite public denials from the company, evidence suggests continued support and evolution of the tool—even after supposed shutdowns.
Telegram channels tied to Darcula revealed visuals of SIM farms and high-end hardware used by operators. Investigators found photos of fraud-funded luxury lifestyles, with operators organized in tight-knit online communities mostly communicating in Chinese.
A Call for Law Enforcement Action
The report details that most phishing links were spread via text messages sent through SIM farms managed by the operators. One prominent figure, identified as “x66/Kris” and believed to be based in Thailand, reportedly played a senior role in the syndicate.
All findings have been forwarded to law enforcement agencies worldwide, raising alarms about the scale and resilience of modern cybercrime networks. Experts warn that Darcula represents a new era of PhaaS, combining automation, AI, and sophisticated logistics to perpetrate fraud on a global scale.