Darcula PhaaS Platform Used to Steal Data from Hundreds of Thousands of Payment Cards
Do Son 
A vast cyberfraud scheme leveraging the Darcula platform has led to the compromise of hundreds of thousands of payment cards worldwide. Threat actors employed large-scale phishing campaigns via SMS, luring unsuspecting users to fraudulent websites in order to harvest their sensitive data. Over a seven-month period spanning 2023 to 2024, more than 13 million clicks on malicious links were recorded, resulting in the theft of data from 884,000 bank cards.
Darcula operates as a phishing-as-a-service (PhaaS) platform, offering clients a turnkey infrastructure for conducting attacks. Its primary distribution vector involves counterfeit SMS, iMessage, and RCS messages disguised as delivery notices or penalty alerts—making the scheme significantly more convincing and effective than traditional SMS phishing tactics.
Investigations conducted jointly by media outlets and cybersecurity experts from the Norwegian firm Mnemonic revealed that the platform is active in over 100 countries, exploiting a network of 20,000 domains impersonating well-known brands. To date, around 600 operators have been identified as having utilized Darcula’s services. The platform’s chief architect, reportedly linked to China, has also been exposed.
As part of the investigation, analysts scrutinized the underlying infrastructure, including a malicious framework known as Magic Cat, which serves as the backbone of the operation. Researchers also infiltrated private Telegram groups where participants exchanged tutorials, equipment, and financial results of their campaigns. Within these channels, investigators uncovered photographs of SIM farms, modems, and terminals used to cash out stolen cards.
Darknet operators made extensive use of automated phishing kit generators, allowing them to convincingly mimic virtually any brand. In February 2025, new features emerged—ranging from virtual card creation and stealth modes to a simplified control panel. By April of that year, the platform had integrated a generative neural network, capable of crafting personalized scam campaigns in any language and tailored to any subject matter.
Digital forensics traced elements of the operation to a developer in China’s Henan province, reportedly affiliated with a company believed to be the creator of Magic Cat. While the company denied involvement in the fraudulent scheme—asserting it merely developed website creation tools—it wasn’t long before a new version of Magic Cat surfaced online, despite assurances that development would cease.
All evidence collected by the investigators has since been submitted to the appropriate law enforcement authorities.
