Security researchers have identified a major credit card theft operation linked to a sophisticated phishing-as-a-service (PhaaS) platform called Darcula, which has compromised roughly 884,000 credit card details.
The massive cybercrime campaign, which began in late 2024, targeted consumers across 32 countries, with the highest concentration of victims in North America and Europe.
It is estimated that financial damage could exceed $150 million, based on the current dark web value of stolen financial data.
What sets Darcula apart from traditional phishing attacks is its advanced infrastructure and subscription-based model. The platform allows even low-skilled cybercriminals to execute highly convincing phishing campaigns, providing replicas of banking websites, e-commerce platforms, and payment portals.
These sites are designed with realistic SSL certificates and domain names to evade detection and gain users trust.
Most concerning, however, is Darcula’s ability to bypass multi-factor authentication. It uses real-time session hijacking techniques to intercept and relay authentication codes, allowing attackers to gain full control of user accounts.
The campaign’s success lies in its multi-channel approach. Malicious links are distributed through email, SMS, social media, and compromised advertising networks.
Victims are often lured by urgent messages about account issues or transactions, directing them to fraudulent sites where their login credentials and payment details are captured.
The operation is believed to be the work of a well-organized cybercriminal syndicate, backed by significant resources and technical expertise.
Mnemonic analysts identified the Darcula operation in February 2025 after noticing a pattern of credit card fraud across several financial institutions.
To hone the platform’s capabilities even further, threat actors behind Darcula added generative artificial intelligence (GenAI) capabilities announced last month.
About Author
