In February 2025, the same researchers reported that Darcula had undergone a significant evolution, now allowing operators to auto-generate phishing kits for any brand, while also implementing new stealth features, a credit card to virtual card converter, and a simplified admin panel. The Darcula phishing-as-a-service (PhaaS) platform stole 884,000 credit cards from 13 million clicks on malicious links sent via text messages to targets worldwide. In a separate post, NRK reveals about 600 individual scammers using Darcula to steal payment card information from victims globally, with 884,000 cards captured worldwide. Darcula is a PhaaS platform that targets Android and iPhone users in over 100 countries using 20,000 domains that spoof well-known brands, aiming to steal people's account credentials. Netcraft researchers, who were the first to highlight the rising threat in March 2024, noted that Darcula was set apart from similar cybercrime services via its ability to use RCS and iMessage instead of SMS, which made its attacks more effective. Mnemonic's investigation, which involved reverse-engineering the phishing infrastructure, led to the discovery of a powerful phishing toolkit named 'Magic Cat,' which is the backbone of the Darcula operation. The researchers also infiltrated the Telegram group associated with the Darcula operation, uncovering photos of SIM farms, modems, and evidence of lavish lifestyles financed by the scams. Operators are organized into closed Telegram groups, which NRK monitored for over a year, finding that most communicate in Chinese and run SIM farms and hardware setups to send mass text messages and process stolen cards via terminals. In April 2025, Netcraft saw the introduction of generative AI in Darcula, allowing cybercriminals to craft custom scams with the help of LLM tools in any language and for any topic. These numbers come from coordinated research by investigators from NRK, Bayerischer Rundfunk, Le Monde, and Norwegian security firm Mnemonic, who identified 600 operators (cybercrime clients) and the platform's main creator and seller. NRK's report highlights operators with very high volumes of malicious traffic facilitated by Darcula, including a Thai-based user, 'x66/Kris,' who appears to be high in the hierarchy.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 05 May 2025 17:35:16 +0000