A sophisticated phishing operation known as Darcula PhaaS (Phishing-as-a-Service) has stolen 884,000 credit cards by generating 13 million clicks on malicious links sent via SMS, affecting victims across the globe. The campaign, which ran for seven months between 2023 and 2024, was exposed through a joint investigation by researchers from NRK, Bayerischer Rundfunk, Le Monde, and Norwegian security firm Mnemonic. Darcula, utilized by over 600 operators, leveraged 20,000 domains to impersonate trusted brands, highlighting the escalating risks of cyber fraud in the digital landscape and raising urgent concerns about consumer safety online.
Darcula’s phishing texts often posed as legitimate notifications, such as package delivery updates or road toll fines, tricking users into clicking links that directed them to fake websites designed to harvest account credentials and payment details. The operation targeted both Android and iPhone users in over 100 countries, with Mnemonic’s investigation revealing the staggering impact: 884,000 credit cards compromised from 13 million clicks. The platform’s infrastructure, referred to as “Magic Cat,” enabled cybercriminals to execute large-scale attacks with precision, using SIM farms and modems to send mass texts. Researchers gained access to Darcula’s Telegram groups, uncovering evidence of operators flaunting their profits, including images of stolen cards being processed through terminals, showcasing the operation’s audacity.
Further details from the investigation, reported by outlets like BleepingComputer, reveal Darcula’s evolution over time. By February 2025, the platform had introduced advanced features, including auto-generated phishing kits for any brand, a credit card to virtual card converter, and a streamlined admin panel, making it easier for operators to launch attacks. By April 2025, Darcula had integrated generative AI, using large language models (LLMs) to create custom phishing messages in any language and on any topic, significantly enhancing its scalability and effectiveness. This adoption of AI highlights the growing challenge of combating online scams, as cybercriminals exploit cutting-edge technology to deceive users.
Darcula’s operations were largely coordinated through closed Telegram groups, where operators, primarily communicating in Chinese, managed their activities. A Thai-based operator known as “x66/Kris” was identified as a key figure, overseeing significant malicious traffic. The platform’s alleged creator, a former employee of a Chinese company, claimed Magic Cat was intended for legitimate website creation, but a new version was released despite promises to shut it down, casting doubt on efforts to curb the operation. Mnemonic and its partners have shared all findings with law enforcement, aiming to disrupt Darcula’s activities and bring its operators to justice, though the global nature of the scam poses challenges for enforcement.
The Darcula scam underscores the vulnerability of SMS as a phishing vector, a medium often perceived as more secure than email. The use of 20,000 domains to mimic legitimate brands made the scam particularly difficult to detect, as fraudulent sites closely resembled authentic ones. This incident aligns with a broader rise in SMS-based scams, with CTM360 noting a global increase in fraudulent texts posing as rewards or toll notifications, complicating efforts to safeguard users. The scale of Darcula’s success—stealing nearly a million credit cards—emphasizes the need for enhanced user awareness about phishing risks and stronger protections from telecom providers to filter malicious messages.
The integration of generative AI into Darcula’s phishing kits raises significant concerns about the future of cybercrime, as AI-driven attacks become more sophisticated and harder to detect. While AI offers immense potential for innovation, its misuse by cybercriminals, as seen in Darcula’s tailored phishing messages, poses a growing threat to online security. Consumers are urged to exercise caution with unsolicited text messages, avoiding clicking on links and verifying the authenticity of communications directly with the alleged sender, particularly for sensitive matters like payments or account updates, to protect against such digital threats.
The Darcula PhaaS cyberattack has far-reaching consequences for its victims and the broader digital ecosystem. With 884,000 credit cards stolen, affected individuals face risks of financial loss, identity theft, and credit damage, requiring immediate steps like freezing cards and monitoring accounts for suspicious activity. On a systemic level, the incident highlights the need for international collaboration to combat cybercrime, given Darcula’s global reach and the borderless nature of such threats. As law enforcement works to dismantle the operation, the case serves as a critical reminder of the importance of robust cybersecurity practices in protecting users from increasingly advanced scams.
The Darcula PhaaS scam is a stark warning of the evolving tactics used by cybercriminals, underscoring the need for vigilance, education, and innovation to counter such threats. As AI continues to play a dual role in both enabling and combating cybercrime, staying ahead will require a collective effort from individuals, businesses, and policymakers. Have you encountered a phishing scam like Darcula, and what measures do you take to protect yourself online? Share your experiences and thoughts in the comments—we’d love to hear your insights on this pressing cybersecurity issue.
