A team of Norwegian cybersecurity experts has pulled back the curtain on one of the most sophisticated phishing operations to date—the Darcula phishing network. This sprawling, phishing-as-a-service (PhaaS) syndicate has enabled cybercriminals worldwide to steal personal and financial data through highly targeted scams.
The investigation was spearheaded by Mnemonic, a cybersecurity research group based in Oslo. Their probe began in 2023 after detecting a surge in fraudulent delivery-themed messages. By analyzing one of these phishing links, they uncovered Darcula—a powerful platform offering over 20,000 domains and 200 phishing templates impersonating global brands, including postal services, tax agencies, telecoms, and airlines.
Darcula operated in the shadows of the dark web, equipping more than 600 scammers with a real-time dashboard to view stolen data, including names, addresses, and credit card details. The platform recorded over 13 million phishing link clicks and facilitated the theft of 884,000 credit cards.
At the heart of this network is a toolkit known as Magic Cat, which allowed fraudsters to monitor stolen card data in real time, interact with victims, and extract additional sensitive information like PINs. With its ready-made templates and user-friendly interface, Magic Cat made it easy for cybercriminals to launch convincing scams at scale.
Through reverse engineering and deep digital forensics, Mnemonic traced the Darcula operation back to a group of Chinese cybercriminals. Investigators uncovered the personal details of a key figure—including their full name, phone number, and city. Collaborating with the Norwegian Broadcasting Corporation (NRK), they also reviewed more than 40,000 internal chat logs that revealed the scammers’ extravagant lifestyles fueled by stolen funds.
One scammer flaunted a £21,000 luxury ring, another showed off designer Valentino shoes, and several shared images of sports cars, high-end dinners, and lavish purchases—many backed by receipts of spending up to £14,000.
Even when confronted with concrete evidence of their crimes, the fraudsters responded with defiance and veiled threats, underscoring the audacity and confidence of the criminals behind Darcula.
Mnemonic’s findings have exposed a well-oiled criminal ecosystem built to exploit the trust people place in reputable global brands. Despite this exposure, Darcula and its Magic Cat toolkit remain active, continuing to evolve and spread.
This investigation offers a rare and chilling look inside the Darcula phishing network, answering the question: who are the cybercriminals running it? The answer points to a complex web of bad actors—empowered by advanced tools, driven by profit, and thriving in the shadows of the internet.
