A groundbreaking international investigation has uncovered one of the most sophisticated phishing operations to date, with the Darcula platform compromising 884,000 bank cards across more than 100 countries. The investigation, conducted by NRK, Bayerischer Rundfunk, Le Monde, and Mnemonic, revealed that malicious links distributed through the platform were accessed over 13 million times by unsuspecting victims.
Advanced Phishing-as-a-Service Infrastructure Revealed
The Darcula platform represents a significant evolution in phishing operations, operating as a sophisticated Phishing-as-a-Service (PhaaS) infrastructure targeting both Android and iPhone users. The platform’s extensive network encompasses approximately 20,000 domains, each meticulously designed to impersonate legitimate brands. Threat actors deploy convincing fake notifications about delivery services and financial penalties to lure victims into clicking malicious links.
Revolutionary Technical Capabilities Driving Attack Success
Breaking from traditional phishing methodologies, Darcula employs advanced message delivery systems, including RCS and iMessage protocols, significantly increasing attack effectiveness compared to conventional SMS-based campaigns. The platform’s capabilities expanded in 2025 with the implementation of automated phishing kit generation and AI-powered multilingual campaign creation, demonstrating the increasing sophistication of modern cybercrime operations.
Technical Infrastructure and Operation Details
At the heart of Darcula’s operations lies the Magic Cat toolkit, discovered through careful reverse engineering of the platform’s infrastructure. The operation maintains impressive technical resources, including specialized SIM farms and mass messaging equipment. Of particular interest is a high-volume operator identified as “x66/Kris,” operating from Thailand, who has been responsible for generating substantial malicious traffic through the platform.
Threat Actor Profile and Organizational Structure
The investigation traced the platform’s creation to a 24-year-old developer based in Henan, China. The operation involves more than 600 active operators coordinating their activities through private Telegram groups, highlighting the organized nature of modern cybercrime networks. This distributed operational structure has made the platform particularly resilient to traditional takedown efforts.
This unprecedented investigation underscores the evolving sophistication of modern phishing operations and their increasing threat to global financial security. Security experts recommend implementing robust multi-factor authentication, maintaining updated security software, and exercising extreme caution with unexpected messages containing links. Organizations are advised to enhance their security awareness training programs and deploy advanced anti-phishing solutions to protect against similar threats. The evidence collected during this investigation has been shared with law enforcement agencies worldwide, marking a crucial step toward disrupting this sophisticated cybercriminal operation.
