Darcula, a phishing-as-a-service (PhaaS) platform, has stolen over 884,000 credit cards through 13 million malicious link clicks over seven months between 2023 and 2024.
The findings come from a coordinated investigation by NRK, Bayerischer Rundfunk, Le Monde, and cybersecurity firm Mnemonic, which exposed Darcula’s global operations involving 600 cybercriminal operators and traced the platform’s roots to a 24-year-old developer in Henan, China.
Darcula stands out for targeting Android and iPhone users in over 100 countries using more than 20,000 fake domains mimicking legitimate brands. Phishing messages often appear as road toll fines or fake package notifications and are delivered through RCS and iMessage, making them harder to detect than traditional SMS scams.
In recent months, Darcula has evolved dramatically. In February 2025, it introduced features like auto-generated phishing kits, a credit-to-virtual card converter, and stealth capabilities. By April 2025, the service will be integrated with generative AI, enabling cybercriminals to craft hyper-personalized scams in any language.
The investigation also revealed a sophisticated back-end system powered by a phishing toolkit named Magic Cat, and Telegram groups filled with SIM farms, terminals, and lavish displays of criminal profits. Despite the alleged developer’s company denying involvement, a new version of Magic Cat was released even after promising to shut it down.
