Darcula PhaaS steals 884,000 credit cards via SMS phishing texts

In February 2025, the same researchers reported that Darcula had undergone a significant evolution, now allowing operators to auto-generate phishing kits for any brand, while also implementing new stealth features, a credit card to virtual card converter, and a simplified admin panel. The Darcula phishing-as-a-service (PhaaS) platform stole 884,000 credit cards from 13 million clicks on malicious links sent via text messages to targets worldwide. In a separate post, NRK reveals about 600 individual scammers using Darcula to steal payment card information from victims globally, with  884,000 cards captured worldwide. Darcula is a PhaaS platform that targets Android and iPhone users in over 100 countries using 20,000 domains that spoof well-known brands, aiming to steal people's account credentials. Netcraft researchers, who were the first to highlight the rising threat in March 2024, noted that Darcula was set apart from similar cybercrime services via its ability to use RCS and iMessage instead of SMS, which made its attacks more effective. Mnemonic's investigation, which involved reverse-engineering the phishing infrastructure, led to the discovery of a powerful phishing toolkit named 'Magic Cat,' which is the backbone of the Darcula operation. The researchers also infiltrated the Telegram group associated with the Darcula operation, uncovering photos of SIM farms, modems, and evidence of lavish lifestyles financed by the scams. Operators are organized into closed Telegram groups, which NRK monitored for over a year, finding that most communicate in Chinese and run SIM farms and hardware setups to send mass text messages and process stolen cards via terminals. In April 2025, Netcraft saw the introduction of generative AI in Darcula, allowing cybercriminals to craft custom scams with the help of LLM tools in any language and for any topic. These numbers come from coordinated research by investigators from NRK, Bayerischer Rundfunk, Le Monde, and Norwegian security firm Mnemonic, who identified 600 operators (cybercrime clients) and the platform's main creator and seller. NRK's report highlights operators with very high volumes of malicious traffic facilitated by Darcula, including a Thai-based user, 'x66/Kris,' who appears to be high in the hierarchy.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 05 May 2025 17:35:16 +0000


Cyber News related to Darcula PhaaS steals 884,000 credit cards via SMS phishing texts

Darcula PhaaS steals 884,000 credit cards via SMS phishing texts - In February 2025, the same researchers reported that Darcula had undergone a significant evolution, now allowing operators to auto-generate phishing kits for any brand, while also implementing new stealth features, a credit card to virtual card ...
2 hours ago Bleepingcomputer.com
Darcula PhaaS steals 884,000 credit cards via phishing texts - In February 2025, the same researchers reported that Darcula had undergone a significant evolution, now allowing operators to auto-generate phishing kits for any brand, while also implementing new stealth features, a credit card to virtual card ...
2 hours ago Bleepingcomputer.com
Darcula 3.0 Tool Automatically Generates Phishing Kit For Any Brand - The darcula phishing group has escalated cybercrime capabilities with its newly unveiled “darcula-suite 3.0,” a phishing-as-a-service (PhaaS) platform enabling criminals to automatically generate counterfeit websites for any brand within ...
2 months ago Cybersecuritynews.com
CTM360 Tracks Global Surge in SMS-Based Reward and Toll Scams - PointyPhish – Sends fake SMS alerts about expiring reward points to banking, airline, and retail store customers, leading to phishing pages that steal full credit/debit card details. CTM360 detected thousands of these phishing sites across ...
2 weeks ago Bleepingcomputer.com
BidenCash darkweb market gives 1.9 million credit cards for free - The BidenCash stolen credit card marketplace is giving away 1.9 million credit cards for free via its store to promote itself among cybercriminals. BidenCash launched in early 2022 as a new marketplace on both the dark web and the clearnet, selling ...
1 year ago Bleepingcomputer.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
1 year ago Techrepublic.com
Ransomware attack on Patelco Credit Union causes confusion ahead of holiday weekend - One of the largest credit unions on the West Coast continues to struggle with its operations following a ransomware attack that began on Saturday. Patelco Credit Union - one of the nation's oldest credit unions with more than $9 billion in assets - ...
10 months ago Therecord.media
Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks - Victims clicking on the phishing links are redirected to fake landing pages impersonating state government toll and parking agencies or private entities, such as USPS, DHL, Royal Mail, FedEx, Revolut, Amazon, American Express, HSBC, E-ZPass, ...
1 month ago Bleepingcomputer.com
Preventing Credit Card Fraud with PoS Malware: How Prilex Blocks Contactless Payments - New versions of the Prilex point-of-sale malware can block secure, NFC-enabled contactless credit card transactions, forcing consumers to insert credit cards that are then stolen by the malware. On a payment terminal, contactless transactions use NFC ...
2 years ago Bleepingcomputer.com
Arrests in Tap-to-Pay Scheme Powered by Phishing – Krebs on Security - Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group utilizing Android phones to conduct Apple Pay transactions utilizing stolen or compromised credit/debit card information,” ...
1 month ago Krebsonsecurity.com
FBI shares massive list of 42,000 LabHost phishing domains - The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. The list can also be used by security teams to retrospectively ...
5 days ago Bleepingcomputer.com
Payoneer accounts in Argentina hacked in 2FA bypass attacks - Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping. Payoneer is a financial services platform providing online money ...
1 year ago Bleepingcomputer.com
42,000 Phishing Domains Linked to the LabHost PhaaS Service - “The platform enabled cyber criminals to impersonate more than 200 organizations, including major banks and government institutions, in an effort to collect personal information and banking credentials from unsuspecting victims ...
5 days ago Cybersecuritynews.com
Beware of Fake Unpaid Toll Message Attack to Steal Login Credentials - Security analysts note that these toll scam campaigns achieve approximately 5% success rates – substantially higher than traditional email phishing attacks – demonstrating the effectiveness of this multi-stage approach that combines SMS messaging ...
1 month ago Cybersecuritynews.com
Is Your Online Store Hacked in a Carding Attack? - Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using carding attacks as we gear up for the holiday season shopping. Online companies selling products or services are struggling with the growing ...
1 year ago Cybersecuritynews.com
New Lucid PhAAS Platform Leveraging RCS & iMessage to Bypass Detections - The platform employs an automated attack delivery mechanism that deploys customizable phishing websites, primarily distributed through SMS-based lures that mimic legitimate organizations such as postal services, courier companies, and toll payment ...
1 month ago Cybersecuritynews.com
Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
1 year ago Helpnetsecurity.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
2 years ago Trendmicro.com
Credit union operations restored after tech supplier ransomware attack - The federal agency that oversees credit unions said operations at about 60 of the organizations have been restored following a ransomware attack last month. Ongoing Operations, a cloud services provider owned by credit union technology firm ...
1 year ago Therecord.media Lorenz
Smishing: SMS Phishing Attacks And How to Thwart Them - Smishing is a fast growing version of one of the most established and lucrative scams on the internet. Smishing, like other forms of phishing, aims to trick you into revealing sensitive data and information; however, instead of email, cybercriminals ...
1 year ago Cysecurity.news
US cities warn of wave of unpaid parking phishing texts - While parking scams have been around for years, a massive wave of phishing text messages has caused numerous cities throughout the US to issue warnings, including from Annapolis, Boston, Greenwich, Denver, Detroit, ...
1 month ago Bleepingcomputer.com
Combat Phishing Attacks With AI-Powered Threat Protection - According to statistics, 81% of organizations have seen an increase in phishing emails since 2020, with an estimated 3.4 billion emails sent every day. AI-generated phishing emails are a sophisticated and evolving cybersecurity threat. ...
1 year ago Gbhackers.com
New phishing attack steals your Instagram backup codes to bypass 2FA - A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. Two-factor authentication is a ...
1 year ago Bleepingcomputer.com
Police takes down BulletProftLink large-scale phishing provider - The notorious BulletProftLink phishing-as-a-service platform that provided more than 300 phishing templates has been seized, the Royal Malaysian Police announced. The operation started in 2015 but came to researchers' radar later and became more ...
1 year ago Bleepingcomputer.com
Watch out for "I can't believe he is gone" Facebook phishing posts - This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform. As the posts come from your friends' ...
1 year ago Bleepingcomputer.com

Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)