The Darcula phishing-as-a-service (PhaaS) platform has been linked to the theft of 884,000 credit cards through a global SMS phishing campaign. Between 2023 and 2024, the operation generated 13 million malicious link clicks, targeting victims in over 100 countries. The platform, operated by a Chinese developer, utilized advanced evasion techniques, including RCS/iMessage bypass and AI-generated phishing kits, to avoid detection1.
Scale and Impact
The campaign’s reach was extensive, with 600 operators managing the infrastructure through closed Telegram groups. In Norway alone, 138,000 clicks led to 19,000 compromised credit cards, according to Mnemonic’s 2025 report2. The platform’s backend, dubbed the “Magic Cat Toolkit,” allowed operators to impersonate trusted brands such as USPS and major banks, increasing the success rate of attacks. The use of encrypted messaging protocols like RCS and iMessage helped bypass traditional SMS firewalls, making detection more difficult for security teams3.
Technical Innovations
Darcula’s operators leveraged AI to automate the creation of multilingual phishing kits, reducing the need for manual intervention. The platform also employed a distributed infrastructure, with servers hosted in Los Angeles and Tencent Cloud, complicating attribution efforts4. A key figure behind the operation, identified as Yucheng C., 24, was linked to a Henan-based tech company, though no arrests have been made as of May 20255.
Law Enforcement and Industry Response
Following the FBI’s takedown of the LabHost PhaaS platform in 2025, security researchers highlighted Darcula’s superior evasion capabilities. Netcraft’s analysis noted that Darcula offered over 200 phishing templates, lowering the barrier to entry for cybercriminals6. The FBI’s release of 42,000 LabHost-linked domains provided additional threat intelligence, though Darcula remains operational with an updated version featuring enhanced evasion techniques7.
Mitigation and Recommendations
Organizations should prioritize employee training to recognize SMS phishing attempts, particularly those impersonating postal services or financial institutions. Implementing multi-factor authentication (MFA) and monitoring for unusual transaction patterns can reduce the risk of credential theft. Security teams should also analyze shared threat intelligence, such as the FBI’s domain list, to block known malicious infrastructure8.
Conclusion
The Darcula PhaaS operation highlights the growing sophistication of SMS phishing campaigns. With AI-driven automation and encrypted messaging bypasses, threat actors can scale attacks while evading traditional defenses. Continued collaboration between law enforcement and the cybersecurity community will be essential to disrupt such operations in the future.
References
- “Darcula PhaaS steals 884,000 credit cards via SMS phishing texts,” BleepingComputer, 2025.
- “Exposing Darcula,” Mnemonic, 2025.
- “Darcula smishing attacks target USPS and global postal services,” Netcraft, 2024.
- “The Hunt for Darcula,” NRK, 2025.
- Mert SARICA, LinkedIn post on FBI’s phishing domain list, 2025.
- Pierluigi Paganini, LinkedIn post on LabHost vs. Darcula, 2025.
- “FBI shares massive list of 42,000 LabHost phishing domains,” BleepingComputer, 2025.
