- 772
- 208
The Darcula phishing platform is responsible for the theft of 884,000 bank cards, and victims of hackers around the world clicked on malicious links received via text messages 13 million times.
These statistics are cited by analysts from NRK, Bayerischer Rundfunk, Le Monde and Mnemonic in a joint report. The researchers managed to identify more than 600 Darcula operators, as well as the creator and main distributor of the platform's services.
Darcula is a PhaaS (phishing-as-a-service) platform that targets Android and iPhone users in more than 100 countries. The criminal service uses 20,000 domains imitating well-known brands to steal credentials.
Phishing messages sent by the platform's operators are usually fake fines or parcel delivery notifications containing links to phishing sites. Researchers from Netcraft
were among the first to notice Darcula's activity in March 2024. They noted that the platform differed from similar hacking services in that it used RCS and iMessage instead of SMS messages, which made attacks more effective.
In February 2025, the same researchers reported that Darcula had undergone significant changes and now allows its operators to automatically generate phishing kits to attack any brand. And in April of this year, it became known that the phishing service began to use AI, and with the help of LLM tools, hackers can create their own campaigns in any language and on any topic.
The current investigation by Mnemonic included reverse engineering of Darcula's phishing infrastructure and led to the discovery of a powerful toolkit called Magic Cat, which underlies the phishing platform.
The researchers also infiltrated a Telegram group associated with Darcula and found photos of SIM farms, modems, and evidence of the luxurious lifestyles of the service's operators.
Using OSINT and passive DNS analysis, analysts traced the platform's digital footprint and discovered a Chinese citizen and his GitHub developer account. It is believed that this person may be behind the creation of Darcula.
In turn, NRK reports that this person is a 24-year-old resident of the Chinese city of Henan, and he is associated with the company that develops the aforementioned Magic Cat. At the same time, company representatives reported that this person no longer works for them, and also denied involvement in any fraud, claiming that they sell only "website creation software."
NRK notes that the company eventually admitted that Magic Cat is used for phishing, and even said that they would disable it, but a new version of the tool was soon released.
In a separate article , researchers talk about 600 fraudsters using Darcula to steal bank card data. According to experts, the platform's operators have already managed to steal information on 884,000 cards around the world.
Darcula operators use closed groups in Telegram, which NRK specialists have been monitoring for over a year. Most of these chats are in Chinese and use SIM farms and various hardware solutions for mass text messaging and subsequent processing of stolen cards.
The NRK report separately talks about Darcula operators generating large volumes of malicious traffic. For example, a user from Thailand with the nickname x66/Kris occupies a high position in the hierarchy associated with the service.
The researchers emphasize that they have already passed on all the information they collected to law enforcement agencies.
These statistics are cited by analysts from NRK, Bayerischer Rundfunk, Le Monde and Mnemonic in a joint report. The researchers managed to identify more than 600 Darcula operators, as well as the creator and main distributor of the platform's services.
Darcula is a PhaaS (phishing-as-a-service) platform that targets Android and iPhone users in more than 100 countries. The criminal service uses 20,000 domains imitating well-known brands to steal credentials.
Phishing messages sent by the platform's operators are usually fake fines or parcel delivery notifications containing links to phishing sites. Researchers from Netcraft
were among the first to notice Darcula's activity in March 2024. They noted that the platform differed from similar hacking services in that it used RCS and iMessage instead of SMS messages, which made attacks more effective.
In February 2025, the same researchers reported that Darcula had undergone significant changes and now allows its operators to automatically generate phishing kits to attack any brand. And in April of this year, it became known that the phishing service began to use AI, and with the help of LLM tools, hackers can create their own campaigns in any language and on any topic.
The current investigation by Mnemonic included reverse engineering of Darcula's phishing infrastructure and led to the discovery of a powerful toolkit called Magic Cat, which underlies the phishing platform.
The researchers also infiltrated a Telegram group associated with Darcula and found photos of SIM farms, modems, and evidence of the luxurious lifestyles of the service's operators.
Using OSINT and passive DNS analysis, analysts traced the platform's digital footprint and discovered a Chinese citizen and his GitHub developer account. It is believed that this person may be behind the creation of Darcula.
In turn, NRK reports that this person is a 24-year-old resident of the Chinese city of Henan, and he is associated with the company that develops the aforementioned Magic Cat. At the same time, company representatives reported that this person no longer works for them, and also denied involvement in any fraud, claiming that they sell only "website creation software."
NRK notes that the company eventually admitted that Magic Cat is used for phishing, and even said that they would disable it, but a new version of the tool was soon released.
In a separate article , researchers talk about 600 fraudsters using Darcula to steal bank card data. According to experts, the platform's operators have already managed to steal information on 884,000 cards around the world.
Darcula operators use closed groups in Telegram, which NRK specialists have been monitoring for over a year. Most of these chats are in Chinese and use SIM farms and various hardware solutions for mass text messaging and subsequent processing of stolen cards.
The NRK report separately talks about Darcula operators generating large volumes of malicious traffic. For example, a user from Thailand with the nickname x66/Kris occupies a high position in the hierarchy associated with the service.
The researchers emphasize that they have already passed on all the information they collected to law enforcement agencies.