A massive global cybercrime campaign run by the Darcula phishing-as-a-service (PhaaS) platform has stolen over 884,000 payment cards from victims worldwide. The operation was carried out using over 13 million clicks on fake links, primarily delivered via text messages over a seven-month period from 2023 to 2024.
Investigators from NRK, Le Monde, Bayerischer Rundfunk, and cybersecurity firm Mnemonic conducted the deep-dive investigation. Their research exposed Darcula’s infrastructure, tools, operators, and even identified the platform’s main creator.
Sophisticated Tactics and AI-Powered Phishing
Darcula has quickly risen as one of the most advanced phishing platforms. Unlike typical phishing services, it targets both Android and iPhone users in more than 100 countries using over 20,000 domains designed to spoof trusted brands. The text messages appear to be toll fee reminders or shipping notifications, tricking users into clicking on malicious links that lead to fake websites.
What sets Darcula apart is its use of RCS (Rich Communication Services) and Apple iMessage—instead of traditional SMS—to send phishing texts. This switch allows messages to appear more legitimate and harder to detect, making the scams more effective.
In early 2024, Netcraft warned about Darcula’s growing threat. By February 2025, the platform had evolved significantly. It introduced features like auto-generated phishing kits, stealth enhancements, and even a credit card to virtual card converter. An intuitive admin panel was also added to make the platform easier for cybercriminals to manage.
In April 2025, Darcula integrated generative AI tools, enabling its users to craft personalized phishing scams using large language models (LLMs). This addition made it possible to create believable messages in any language, targeting victims more precisely based on region, brand, or service.
Inside the Darcula Crime Network
Researchers at Mnemonic reverse-engineered Darcula’s backend and uncovered a powerful phishing toolkit named Magic Cat. This software powers the entire phishing infrastructure. Their infiltration of Darcula’s Telegram group revealed disturbing evidence—photos of SIM farms, modems, and luxury purchases likely funded by the operation.
Further OSINT work and passive DNS tracking helped link the operation to a 24-year-old individual from Henan, China. This person was tied to a company suspected of developing Magic Cat. When contacted, the company claimed the individual, Yucheng, was a former employee and denied involvement. Although the firm admitted Magic Cat was used for phishing, they said it was only a tool for “website creation.” Despite saying it would be discontinued, a new version was later released, showing no intention of stopping.
NRK’s extended monitoring of Darcula’s Telegram network, which spanned over a year, uncovered around 600 individual scammers operating within the platform. Most of these actors communicate in Chinese, run SIM farms, and use payment terminals to process stolen cards.
One notable actor, identified as ‘x66/Kris’, appears to be a high-ranking user based in Thailand, responsible for generating massive volumes of phishing traffic.
These cybercriminals are highly organized and operate in closed online communities. The scale and coordination shown highlight the industrialization of phishing-as-a-service and its real-world financial impact.
All findings from this multinational investigation have been forwarded to law enforcement agencies, although it’s unclear if any arrests have been made or if takedowns are imminent.
The Darcula operation is a chilling reminder of how modern phishing attacks are evolving. With advanced tools, AI-generated scams, and hard-to-detect delivery channels, cybercriminals are finding new ways to steal and monetize personal data at scale.
