OSLO, Norway–According to a new report, the Darcula phishing-as-a-service (PhaaS) platform stole 884,000 credit cards from 13 million clicks on malicious links sent via text messages to targets worldwide.
The cyber heist was done over seven months between 2023 and 2024, so it does not reflect the total amount the cybercrime platform has helped to steal, BleepingComputer.com is reporting.
According to the report, the numbers come from coordinated research by investigators from NRK, Bayerischer Rundfunk, Le Monde, and Norwegian security firm Mnemonic, which identified 600 operators (cybercrime clients) and the platform’s main creator and seller.
Darcula is a PhaaS platform that targets Android and iPhone users in over 100 countries using 20,000 domains that spoof well-known brands, aiming to steal people’s account credentials, BleepingComputer.com stated.
A Common Strategy
“These phishing texts commonly pretend to be road toll fines or package shipping notifications that include links to phishing sites,” the report said. “Netcraft researchers, who were the first to highlight the rising threat in March 2024, noted that Darcula was set apart from similar cybercrime services via its ability to use RCS and iMessage instead of SMS, which made its attacks more effective.”
According to BleepingComputer.com, in February 2025 the same researchers reported that Darcula had “undergone a significant evolution,” now allowing operators to auto-generate phishing kits for any brand, while also implementing new stealth features, a credit card to virtual card converter, and a simplified admin panel.
Generative AI Arrives
“In April 2025, Netcraft saw the introduction of generative AI in Darcula, allowing cybercriminals to craft custom scams with the help of LLM tools in any language and for any topic,” the report added.
Investigators said they have traced the operation’s digital footprints to a 24-year-old Chinese individual and a GitHub developer account.
In a separate post, NRK reveals about 600 individual scammers using Darcula to steal payment card information from victims globally, with 884,000 cards captured worldwide, the report said.
