A major security investigation has exposed the full extent of the Darcula “Phishing-as-a-Service” (PhaaS) operation, which has siphoned off the details of 884,000 credit cards through a global smishing campaign that saw over 13 million individual clicks from users worldwide.
The Darcula group, operating across encrypted messaging platforms and specialized software, orchestrated one of the most prolific phishing attacks of recent years, targeting victims in over 100 countries with branded SMS messages designed to harvest sensitive personal and financial data.
Technical Deconstruction of the Attack Chain
The campaign began in December 2023, when users-particularly in Norway-were inundated with seemingly legitimate SMS, iMessage, or RCS notifications purporting to be from trusted logistics brands.
These messages leveraged brand impersonation tactics to deceive recipients into revealing personal information and paying bogus fees, ultimately capturing their credit card data in real time.
What set Darcula’s approach apart was a suite of advanced anti-forensics techniques: links embedded in the smishing messages were accessible solely via cellular devices, blocking most desktop-based security and threat-intelligence tools from inspecting the malicious URLs.
The underlying phishing infrastructure employed client-side encryption using the Rabbit algorithm via the crypto-js library and Socket.IO for real-time communication, ensuring that even intercepted network traffic could not easily reveal the content of harvested data.
Security researchers circumvented these protections by mimicking both mobile device headers and originating IPs, ultimately gaining access to the admin “room” of the phishing platform.
This admin interface provided an unfiltered view of victim submissions-displayed as character-by-character updates-as well as dashboards for phishers to request additional authentication information or PINs.
The phishing kit, dubbed “Magic Cat,” was distributed via invitation-only Telegram channels-often linked to a Chinese syndicate known as “Darcula.”
Magic Cat enabled non-technical operators to launch highly realistic phishing sites for hundreds of international brands with minimal effort, featuring automated integration with SMS gateways and real-time data streaming to dashboards.
The software also included surprising features, such as a built-in licensing system, activation key generation for license management, and even potential backdoor-like developer access, raising concerns about secondary exploitation by the kit’s creators.
Global Impact and Attribution Efforts
Through comprehensive OSINT (Open Source Intelligence) and digital forensics, researchers traced the infrastructure behind the Darcula operation-uncovering cloud-hosted servers, GitHub repositories, and Telegram identities tied to the syndicate’s core operators.
Cross-referencing leaked database records, historical domain registrations, and masked phone numbers, investigators were able to link the syndicate to Chinese nationals operating across multiple international jurisdictions.
According to the Report, The Darcula Magic Cat breach highlights the industrialization of cybercrime, blending commercial-grade software development, real-time cloud operations, and broad social engineering to enable fraud at vast scale.
The case has since been escalated to law enforcement agencies, with ongoing efforts to dismantle the infrastructure and identify individuals behind one of the most significant PhaaS breaches in recent memory.
Security experts caution that vigilance, multi-factor authentication, and robust user education remain critical to blunting the effectiveness of such attacks as threat actors continue to innovate.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
