Who Are the Cybercriminals Behind the Darcula Phishing Network?

A team of Norwegian cybersecurity specialists has revealed a sprawling cybercrime syndicate, exposing the sophisticated fraud tactics employed by the scammers orchestrating it. Their findings have unveiled a highly structured phishing-as-a-service scheme called Darcula, which has ensnared countless victims worldwide.

Operating out of Oslo, the Mnemonic research group launched their probe after detecting a spike in fraudulent delivery-related messages targeting global users in 2023. By engaging with one of these deceptive links, the researchers uncovered a platform engineered to equip cybercriminals with tools for executing widespread phishing campaigns. Known as Darcula, this platform, active since at least 2023, grants access to over 20,000 domains and 200 phishing templates mimicking prominent brands like postal services, tax authorities, telecom companies, and airlines.

Though prevalent on the dark web, Darcula evaded detection until Mnemonic‘s ethical hackers penetrated its covert admin hub. Their report describes this hub as the nerve center of the operation, displaying live updates of victims’ personal data—such as credit card details, names, and addresses—as they were entered. This formed part of a vast network where phishing links were clicked over 13 million times, resulting in the theft of 884,000 credit cards by approximately 600 fraudsters.

Through reverse engineering, Mnemonic identified a critical element of the scheme: a toolkit dubbed ‘Magic Cat.’ This tool allowed scammers to track stolen credit card information in real time and engage with victims to extract additional data, such as PINs. Magic Cat offered features like ready-to-use templates for impersonating numerous global brands, making it a user-friendly resource for fraudsters worldwide.

As their investigation deepened, Mnemonic traced the Darcula network to Chinese cybercriminals, identifying the full name, phone number, and city of a key figure behind the operation. The Norwegian Broadcasting Corporation (NRK) joined the effort, uncovering over 40,000 chat exchanges among the scammers. These conversations revealed the criminals bragging about their opulent lifestyles, fueled by illicit gains.

One fraudster showcased a ring valued at over £21,000, while another flaunted luxury Valentino footwear. Receipts showed some had spent up to £14,000 on personal purchases, with images depicting sports cars and high-end dining experiences, all financed through stolen credit card data.

Despite presenting the hackers with evidence of their crimes, Mnemonic and NRK encountered defiance and subtle threats from the perpetrators.

The investigation confirmed that the Darcula network and its Magic Cat toolkit remain active, with ongoing enhancements making the phishing operations increasingly effective.

Mnemonics report emphasized that their original aim was to investigate active phishing campaigns, but their work uncovered a far larger and more intricate web of fraudsters operating a robust ecosystem designed to exploit globally recognized brands. They identified hundreds of thousands of victims and thousands of licenses sold for Magic Cat, highlighting a rising trend in cybercrime.

This investigation has not only illuminated the scope of this criminal enterprise but also offered a vital glimpse into the lucrative realm of cyber fraud, where perpetrators live extravagantly at the expense of unsuspecting victims. Despite the researchers‘ efforts, Darcula and its tools continue to flourish, emphasizing the persistent danger posed by cybercriminals lurking in the dark web’s shadows.