Investigations reveal that the fraud is enabled by specialized software called “Magic Cat,” developed by a figure known online as “Darcula.”
Luxury Lifestyles Built on Cyber Fraud
On social media platforms like Instagram and TikTok, individuals suspected to be involved in the scam flaunt expensive designer clothing, luxury sports cars, and club parties—funded, investigators believe, by stolen credit card data. A cross-border investigation by Bayerischer Rundfunk (BR) and media partners in Norway and France, with data from cybersecurity firm Mnemonic, sheds light on the global scale of this fraud operation and its key players.
How the Scam Works
The network sends out millions of SMS messages daily, claiming delivery issues with DHL packages and urging recipients to click a link to confirm their address. These links lead to websites that mimic legitimate courier or utility company pages, primarily targeting users in over 130 countries. Victims are tricked into entering personal and financial data, which is then harvested in real time—even if they attempt to delete their input.
When users access one of these fake sites, a Chinese computer voice announces: “A user has successfully opened the site.” The fraudsters then monitor and record every keystroke, often capturing security codes along with card numbers. Screenshots from internal chat groups show how these details are added to digital wallets like Apple Pay and Google Pay for repeated use.
The Man Behind the Mask: ‘Darcula’ Unmasked as 24-Year-Old from Henan, China
The pseudonymous mastermind “Darcula” is believed to be 24-year-old Yucheng C. from China’s Henan province. BR obtained a copy of his ID, although his current whereabouts are unknown. While there’s no evidence he personally steals credit card data, he allegedly rents out the Magic Cat software for several hundred dollars per week. “Darcula” was previously an admin of a central chat group where users exchanged tips on fraud and offered courses on improving their phishing techniques.
Cybersecurity expert Ford Merrill, an advisor to global authorities, estimates that up to 80% of phishing sites globally may rely on Magic Cat. Mnemonic’s Harrison Sand dismisses claims that the software has legal applications, stating its sole purpose is to deceive users and steal their data.
Scale of the Damage in Germany and Worldwide
Data obtained from the scam’s backend systems show that between late 2023 and mid-2024, nearly 900,000 people globally entered their credit card information into fake websites. In Germany alone, 20,000 fell victim, with around 4,000 also supplying security codes—allowing scammers to use the cards instantly. Screenshots reveal mobile phones loaded with stolen cards and even show criminals using personal card readers at home. Some post photos of high-end shopping sprees alongside receipts as proof of their “success.”
‘Kris’—A Key Player in the Network—Vanishes After Scrutiny
One of the scheme’s most visible figures, using the alias X667788X and calling himself “Kris,” is implicated in mass phishing operations. Originally from Xi’an, China, he was recently active in Bangkok, showcasing his wealth on social media. He later posted from a racetrack near Shanghai. After reporters investigated his activities, his online profiles were swiftly deleted. He denied being Kris and claimed the information was inaccurate, before wiping his remaining online presence.
German Police Not Actively Investigating Despite High Victim Count
Despite the massive scale and damage, Germany’s Federal Criminal Police Office (BKA) has not initiated specific investigations into the Darcula network. They confirm monitoring the group since October 2024, citing difficulties in international cooperation and legal constraints.
DHL, frequently impersonated in the scams, declined to comment on security-related inquiries.
Understanding Phishing and Its Impact
Phishing involves the use of fake emails, messages, or websites to trick people into revealing personal information like passwords or credit card numbers. These scams mimic legitimate companies, often with urgent language prompting users to act quickly. Variants include “spear-phishing” (targeted attacks), “smishing” (SMS-based), “vishing” (voice calls), and “quishing” (QR-code-based).
In Germany, phishing fraud causes millions of euros in losses annually. Authorities like the Federal Office for Information Security (BSI) and consumer protection agencies offer advice on how to identify and avoid such scams.
As digital fraud becomes increasingly sophisticated, this investigation reveals how a combination of deception, software innovation, and lax international enforcement enables cybercriminals to operate at an unprecedented global scale.
Latest Posts
