Every minute, thousands of text messages travel from one phone to another. Some bring news from friends or purchase alerts, but others hide traps designed to drain bank accounts. One of the most sophisticated and dangerous recent threats is Darcula PhaaS, a Phishing-as-a-Service platform that enabled cybercriminals to steal 884,000 credit cards after generating over 13 million clicks on malicious links sent via SMS to victims worldwide.
The fraud spread over seven months between 2023 and 2024, although that figure barely reflects the total damage caused by this criminal network, which gathered more than 600 operators and was developed and distributed by a single main creator. Understanding how these threats operate is not just important—it’s essential to protect your financial information and stay one step ahead of digital criminals.
The Rapid Rise of Darcula
Darcula is not just another online scam. It’s a Phishing-as-a-Service platform that has grown at an impressive pace. It targets both Android and iPhone users in over 100 countries and uses around 20,000 domains impersonating well-known brands to steal people’s account credentials.
The messages it sends usually appear very legitimate. They often pretend to be toll fines or package delivery notices and include links leading to fake websites designed to steal personal information.
Netcraft (the first to sound the alarm in March 2024) explained that Darcula stood out because, unlike other scams, it didn’t just use SMS. It could also leverage RCS and iMessage, making its scams more credible and effective.
In February 2025, the same experts noted that Darcula had evolved significantly. It now allowed attackers to automatically create phishing kits for any brand, incorporated new hidden features, and even had a system to convert stolen credit cards into virtual cards. All of this was managed through a very user-friendly control panel.
And as if that weren’t enough, in April 2025, it was discovered that Darcula had taken another major leap: it integrated generative AI. This allowed cybercriminals to create personalized scams using language tools (LLMs), in any language and on any topic. In other words, Darcula became smarter—and much more dangerous.
Operator phones loaded with stolen cards (Source: Mnemonic)
Conoce más sobre: El Peligroso Mundo del Smishing: Conoce sobre esta Amenaza
Uncovering How Darcula Works
The researchers who managed to dig deep into Darcula did an impressive job. By dismantling its phishing infrastructure, they discovered a powerful tool called "Magic Cat," which is essentially the heart of the entire operation.
But they didn’t stop there. They also infiltrated one of the private Telegram groups where everything was coordinated. There, they found photos of SIM farms, modems, and even evidence that the scammers were using the stolen money to fund luxury lifestyles.
Using OSINT (open-source intelligence) techniques and analyzing passive DNS records, the experts followed the digital trail to a 24-year-old man from Henan, China. This individual was linked to a company that, according to their findings, developed the infamous Magic Cat.
When asked about it, the company admitted that Magic Cat was being used for phishing and promised to remove it. But shortly afterward, a new version appeared. They also claimed that the young man in question, named Yucheng, had worked with them but denied any connection to the scams, saying they only sold "software for creating websites."
On the other hand, the investigators identified around 600 individual scammers using Darcula to steal credit card data worldwide. In fact, they managed to capture information from 884,000 cards.
These criminals didn’t operate alone. They were organized in closed Telegram groups, where they mostly communicated in Chinese and operated SIM farms and specialized hardware to send mass messages and process stolen cards.
Among them stood out a user known as ‘x66/Kris’, who operated from Thailand and appeared to hold a high position in Darcula’s hierarchy due to the enormous volume of malicious traffic he managed. All the information the researchers uncovered was shared with the authorities to support legal actions against those responsible.
Darcula Now Uses Artificial Intelligence to Create Phishing Pages
This phishing platform has also made a major leap in its evolution: it now uses artificial intelligence to create fake pages in multiple languages, quickly and with almost no effort.
What is Darcula-Suite?
In early 2025, Darcula launched its version 3 with a new control panel and even a desktop application. This made launching phishing campaigns easier than ever. But the real revolution came with the latest update: Darcula-Suite. With this new version, cybercriminals can now:
-
Automatically clone the design of any website.
-
Customize phishing forms in any language.
-
Translate entire pages without losing the original formatting.
-
Create fake sites without needing to know how to program or design.
Basically, anyone (even without technical knowledge) can use Darcula-Suite to launch highly elaborate online scams tailored to the language and culture of their victims. This has dramatically lowered the difficulty of creating sophisticated phishing campaigns, allowing more scammers to engage in these activities.
How to Protect Yourself from SMS Phishing
Even though hackers are becoming increasingly creative, there are several simple steps you can take to avoid falling into their traps:
-
Be suspicious of strange messages: If you receive an SMS asking for personal or payment information, always be cautious—even if it appears to come from your bank or a well-known company.
-
Don’t click on suspicious links: If a message contains a link, don’t open it. It’s better to go directly to the official website by typing the address into your browser.
-
Enable two-factor authentication: Activate two-factor authentication on all your important accounts. That way, even if someone gets your password, they won’t be able to access your accounts easily.
-
Keep your phone updated: Always update your system and apps. Many updates fix security flaws that criminals could exploit.
-
Use a good antivirus or anti-malware app: Install a reliable security app on your phone. It’s an extra layer of protection that’s always worth having.
