The scope of Darcula’s phishing operation was uncovered through an in-depth, collaborative investigation led by Norwegian broadcaster NRK, Bayerischer Rundfunk, Le Monde, and cybersecurity firm Mnemonic. Their findings reveal that more than 13 million malicious links were clicked globally during this period—an operation carried out by over 600 identified operators using infrastructure provided by the Darcula platform.
A Rise Fueled by Sophistication and Stealth
Darcula has quickly emerged as one of the most advanced phishing-as-a-service platforms. It targets users in over 100 countries by sending spoofed text messages posing as toll fines, delivery notifications, or service alerts from trusted brands—these messages direct victims to phishing websites hosted on over 20,000 domains that mimic legitimate sites.
Darcula’s ability to bypass traditional SMS delivery methods makes it especially dangerous. Researchers from Netcraft, who initially raised the alarm in March 2024, highlighted Darcula’s use of Rich Communication Services (RCS) and iMessage to send phishing messages. These modern messaging protocols enable better-looking, more credible scams, increasing the chances of user engagement.
By early 2025, Darcula had further evolved. Its backend system introduced auto-generated phishing kits for any brand, virtual credit card conversion features, and even a streamlined admin panel, making launching phishing campaigns easier for cybercriminals. In April 2025, the service integrated generative AI capabilities, allowing threat actors to create hyper-personalized and localized phishing lures using large language models.
Behind the Scenes: The Magic Cat Toolkit and Operator Networks
Mnemonic’s investigation revealed that Darcula’s infrastructure relies on a toolkit named Magic Cat, a robust phishing framework powering the entire operation. By reverse-engineering the setup and infiltrating Darcula’s private Telegram groups, researchers found extensive use of SIM farms, 4G modems, and payment terminals to deploy and monetize stolen data.
These Telegram groups, mostly communicating in Chinese—hosted discussions among operators managing high-volume phishing campaigns. Some of these individuals were found to be running sophisticated setups to send thousands of phishing messages and process compromised cards.
NRK identified a 24-year-old individual from Henan, China, who was believed to be one of the developers behind Magic Cat. The individual was linked to a company initially denying involvement in fraudulent activity, claiming their software was meant for legitimate website creation. However, despite promising to shut down Magic Cat, investigators later observed a new version being released.
Hierarchy and Monetization
NRK also reported on several high-ranking users within the Darcula ecosystem, including a Thai-based operator identified as “x66/Kris,” suspected to be near the top of the operation’s hierarchy. Photos obtained by researchers showed phones and hardware loaded with stolen card data, evidence of the lavish lifestyles some operators were funding through the scheme.
The full extent of the stolen data might be far greater than the reported 884,000 cards, as this only reflects what was documented within the investigation window. The platform’s scalability and adaptability suggest its potential for continued damage if not dismantled.
All findings from the investigation have been shared with law enforcement agencies to assist in efforts to identify, track, and prosecute those involved.
Table of Contents
