Eye World Analysis – Global Cybercrime Threats
A sophisticated phishing-as-a-service (PhaaS) platform known as Darcula has enabled cybercriminals to steal 884,000 credit cards by distributing malicious text messages across more than 100 countries. The campaign operated covertly between 2023 and early 2024, generating 13 million clicks on fraudulent links.
This operation was uncovered by a joint investigation involving NRK, Bayerischer Rundfunk, Le Monde, and Norwegian cybersecurity firm Mnemonic. The research identified 600 operators who leveraged Darcula to deploy phishing campaigns targeting both Android and iOS users.
What Is Darcula and How Does It Work?
Darcula is a service platform that allows anyone to conduct phishing attacks without advanced technical skills. It provides access to more than 20,000 spoofed domains impersonating global brands. The fake messages often appear as road toll notices or package tracking updates, prompting users to click embedded phishing links.
Unlike many SMS-based smishing platforms, Darcula utilizes RCS and iMessage protocols, bypassing traditional SMS filters. This approach significantly boosts the delivery and success rate of phishing texts.
AI-Driven Fraud and Scalable Attacks
In 2025, researchers from Netcraft observed the platform’s evolution into a more advanced system. Darcula now offers auto-generated phishing kits for nearly any brand. Additional upgrades include:
- Virtual credit card conversion tools
- Stealth enhancements for avoiding detection
- A simplified control panel for cybercriminals
- Generative AI integration, allowing attackers to craft persuasive phishing messages in multiple languages using large language models
Inside Darcula’s Infrastructure
Mnemonic’s technical investigation revealed Darcula’s core toolkit, dubbed “Magic Cat”, after reverse-engineering its phishing setup. The researchers also infiltrated Telegram channels used by the group, finding evidence of SIM farms, mobile modem banks, and operators flaunting wealth gained through the scams.
Using OSINT techniques and DNS tracking, the investigators traced Darcula’s infrastructure to a Chinese national, allegedly tied to a company that helped build the Magic Cat software.
Although the company denied direct involvement and claimed the software was intended for legal use, it acknowledged that it had been abused for phishing. Despite stating the tool would be discontinued, a new version was released shortly after.
Global Reach, Local Damage
NRK confirms that Darcula’s clients have been operating on a global scale. The platform has already captured nearly 884,000 card records, with phishing domains continually being cycled to evade blacklists. Victims span the globe, and the number of affected individuals is likely to grow.
The Broader Cybersecurity Implication
Darcula illustrates how phishing-as-a-service is evolving with enterprise-like efficiency. Cybercriminals no longer require deep technical knowledge. Tools like Magic Cat and AI-powered phishing kits lower the barrier of entry and increase risk for both individuals and businesses.
