Phishing network around "Darcula" exposed for scam text messages

Contents

The scam is as old as it is familiar – and still successful: a message appears on the smartphone, supposedly from DHL for a parcel, for example. In order to pick it up, you first have to pay a fee. Clicking on the link in the message takes you to a deceptively genuine-looking website of the company in question, where you are asked to enter your credit card details. Anyone who does this is trapped: it is neither a package nor the small amount requested, but only the credit or debit card details. Criminals use this information to go shopping at their victims' expense.

As an international investigation by Bayerischer Rundfunk (BR), the Norwegian television station NRK and the French daily newspaper Le Monde has now uncovered, a network of cyber criminals organized according to a division of labor is behind this. This was preceded by an analysis of the network and its software by the Norwegian security company Mnemonic. The security researchers themselves initially received a fake message from the Norwegian postal service.

In the fraudsters' network

Even the link in the message was somewhat protected from investigation: It could only be accessed via mobile phone connections and from a smartphone's browser. This is easy to clone, and the security researchers used the target website to navigate through the fraudsters' network. According to NRK, they ultimately had access to the phishers' internal chats and a Telegram group for seven months. They work with a tool called "Magic Cat," which allows websites to be faked – even with the help of AI. The security researchers passed on their findings to the aforementioned media, which followed up on the matter.

At the end of the research, the traces led to a 24-year-old man named Yucheng C., alias "Darcula", who is believed to be from China. Other security researchers had already given this name to the entire network. Darcula is not said to have handled credit card data himself, but is only the developer of Magic Cat. This tool is reportedly rented out to the actual fraudsters as software-as-a-service for a few hundred US dollars a week. The phishing attempts then take place via their device farms, photos of which were also found in the Telegram group. Some members there boast that they can send tens of thousands of messages a day. These can be sent via SMS, iMessage or RCS.

13 million clicks in seven months

According to NRK, the network is active in around 130 countries and 600 people are said to be involved. In the seven months of the observation period from the end of 2023 to mid-2024, one of the links in the messages was clicked 13 million times and 884,000 people entered their card details. With a 1:14 chance of a successful scam, the criminals evidently find it worthwhile to invest a lot of time and technical effort.

The Norwegian broadcaster also reports that you don't have to go to much trouble with Magic Cat: The tool offers fakes of the websites of around 300 companies. NRK has also published them as an Excel table. For Germany, this includes DHL, Telekom, Hermes and the website for the broadcasting license fee. In other regions, it is also possible to fake the websites of banks and numerous logistics companies as well as Amazon. Chinese companies and websites are not on the list.

BKA observes, but has not yet investigated

When asked by BR , the Federal Criminal Police Office (BKA) said that the network has been known since October 2024 and is being monitored. However, there are no concrete investigations because: "The challenges in investigations against internationally active phishing groups lie in international, possibly non-contractual police cooperation." According to the reports, the main players are mainly based in Asia and operate from there. DHL, which is probably one of the most attractive targets in Germany due to thousands of complaints about phishing text messages to the Federal Network Agency, did not want to comment to BR "on cyber security issues" in general.

(nie)