A sophisticated phishing operation targeting smartphone users across America and more than 100 other countries has stolen nearly 900,000 credit cards through deceptive text messages. The scheme, which operated for just seven months between 2023 and 2024, represents a disturbing evolution in cybercrime-as-a-service platforms that increasingly leverage artificial intelligence and messaging technologies familiar to U.S. consumers.
Listen to Article Summary
The Rise of Darcula: A New Breed of Cybercrime Service
The Darcula phishing-as-a-service (PhaaS) platform generated 13 million clicks on malicious links sent via text messages, resulting in the theft of 884,000 credit cards worldwide. These figures emerged from a collaborative investigation by international news organizations, including NRK, Bayerischer Rundfunk, and Le Monde, working alongside Norwegian security firm Mnemonic.
The investigation identified approximately 600 operators – essentially clients of the cybercrime service – along with the platform’s primary creator and seller. Researchers traced the operation to a 24-year-old individual from Henan, China, connected to a company believed to have developed the core phishing toolkit called “Magic Cat.”
How the Scam Targets American Consumers
Darcula specifically targets both Android and iPhone users through a network of 20,000 domains designed to impersonate trusted brands. American consumers typically receive text messages disguised as road toll fines or package delivery notifications – a particularly effective tactic given the rise of e-commerce in the U.S. market.
What sets Darcula apart from similar cybercrime services is its ability to leverage RCS (Rich Communication Services) and iMessage instead of traditional SMS. This technological advantage makes its attacks more effective and harder to detect for typical smartphone users, who might trust messages appearing in their regular messaging apps.
The Evolving Threat Landscape
Security researchers at Netcraft, who first highlighted Darcula’s emergence in March 2024, documented the platform’s rapid evolution. By February 2025, Darcula had implemented features allowing operators to automatically generate phishing kits for any brand, while adding stealth capabilities, credit card to virtual card conversion tools, and a simplified administration panel.
Perhaps most concerning for U.S. cybersecurity experts, April 2025 saw Darcula incorporate generative AI capabilities. This technological advancement enables cybercriminals to craft customized scams with the assistance of large language models in any language and targeting any demographic or interest group – a significant threat to American consumers who may be targeted with increasingly personalized and convincing fraudulent messages.
Inside the Criminal Operation
Mnemonic’s investigation involved reverse-engineering the phishing infrastructure, revealing the sophisticated “Magic Cat” toolkit powering the Darcula operation. Researchers infiltrated Telegram groups associated with the criminal network, uncovering evidence of SIM farms, modems, and glimpses of the lavish lifestyles financed by the fraudulent operation.
The operators, organized into closed Telegram groups that investigators monitored for over a year, primarily communicate in Chinese. They manage hardware setups designed to send mass text messages and process stolen cards through payment terminals, creating an efficient pipeline for converting stolen financial information into cash.
The American Impact and Global Response
While the investigation doesn’t break down victim statistics by country, the scale of the operation suggests a significant impact on American consumers. With the United States representing one of the world’s largest markets for e-commerce and digital payments, American cardholders likely constitute a substantial portion of the 884,000 compromised accounts.
Investigators have shared their findings with relevant law enforcement authorities, though the cross-border nature of the crime presents challenges for prosecution. The company linked to the operation denied involvement in fraud, claiming they only sell “website-creation software.” However, investigators noted that despite promises to shut down Magic Cat, a new version was subsequently released.
For American consumers, the investigation highlights the growing sophistication of phishing attacks and the importance of scrutinizing unexpected text messages, even those that appear to come from trusted services or utilize familiar messaging platforms like iMessage.