The unmasking of the Darcula smishing network in 2024 was considered a major investigative victory. Researchers from Mnemonic, in partnership with media outlets, exposed the massive Phishing-as-a-Service platform called Magic Cat. This toolkit enabled hundreds of cybercriminals to launch targeted phishing attacks on victims worldwide using text messaging services like SMS and RCS by imitating trusted brands to steal sensitive financial data.
From Magic Cat to Magic Mouse: The Relentless Evolution of Global Smishing Operations via Phishing-as-a-Service Platform
Rise and Fall of Magic Cat
Magic Cat was the brainchild of a 24-year-old Chinese national named Yucheng C. who worked under the alias Darcula. The toolkit was distributed through closed Telegram groups and offered ready-made phishing templates, real-time victim data capture, and a dashboard interface. It empowered even low-skilled operators to run large-scale scams while keeping their activities hidden behind layers of obfuscated code and proxy infrastructure.
The campaigns driven by Magic Cat reached astonishing levels of scale. Approximately 13 million malicious link clicks led to the theft of about 884000 credit card details over a seven-month period alone. Victims were deceived by messages about undelivered parcels or unpaid tolls. The prompts encouraged them to click links directing to counterfeit websites that perfectly mimicked legitimate service providers. Losses often ran into thousands of dollars per person.
The infrastructure supporting Magic Cat was highly organized. Operators deployed SIM farms or multi-SIM devices, mobile device fleets, and automated tools to send vast volumes of fraudulent messages. Stolen payment card details were quickly loaded into mobile wallets on smartphones to enable immediate fraudulent purchases. Funds were then laundered through various financial channels to conceal the true identities of the criminals and cash out their gains.
A coordinated Investigation exposed Magic Cat. Analysts at Mnemonic infiltrated Telegram groups, reverse-engineered the toolkit, and traced operational mistakes left by the scammers. Photographs, dashboard screenshots, and records exposed the operational scale. Cross-border collaboration between cybersecurity researchers and journalists ultimately connected Yucheng C. to the toolkit. This brought the Darcula operation into the public spotlight.
Emergence of Magic Mouse
However, dismantling Magic Cat and the initial Darcula operation did not end the threat. A new operation emerged almost instantly once Yucheng C. vanished and the platform stopped receiving updates. It is known as Magic Mouse. This successor quickly captured the attention of researchers for its rapid adoption and unprecedented reach. It was already surpassing the record of Magic Cat in terms of both volume and efficiency around the middle of 2025.
Magic Mouse appears to be run by a different group of developers, independent from Darcula, but benefiting from the same foundation. It reuses phishing kits originally crafted for Magic Cat. This means it contains hundreds of ready-to-deploy templates impersonating known technology firms, postal services, and government agencies or offices. This allows operators to stage large-scale smishing attacks with minimal technical expertise or setup time.
The operational method remains similar. Magic Mouse operators send fraudulent SMS and RCS messages designed to provoke urgency or curiosity. Victims who click the included links are taken to spoofed websites where they are prompted to enter their payment information. The details are harvested instantly, added to mobile wallet platforms, and exploited for cash withdrawals or online purchases before banks or relevant service providers can intervene.
Researchers at Mnemonic estimate that Magic Mouse is stealing approximately 650000 payment card details each month. This figure represents an alarming escalation in global phishing activity, especially considering the sophistication of the campaigns and the promptness at which stolen cards are monetized. The use of familiar brand imageries and highly localized content makes the deception especially difficult for the average recipients to detect and avoid.
Challenges and Implications
Efforts to combat Magic Mouse and related operations remain limited. Researchers note that law enforcement agencies in most countries often treat such cases as isolated incidents rather than part of a larger coordinated infrastructure. In the meantime, technology companies and financial institutions continue to bear the primary burden of blocking phishing pages, disabling domains, and preventing fraudulent transactions before they reach completion.
Public awareness remains a critical factor in reducing the effectiveness of smishing and phishing in general. Security experts underscore the importance of educating users to recognize suspicious messages, verify unexpected requests independently, and avoid clicking unfamiliar links. While these measures cannot dismantle the underlying criminal networks, they significantly reduce the pool of potential victims susceptible to social engineering tactics.
International cooperation is equally essential. Cybercriminal operations like Magic Mouse often span multiple countries to exploit the gaps and vulnerabilities in law enforcement authority and communication. Coordinated intelligence sharing, harmonized cybercrime legislation, and rapid response mechanisms are required to disrupt infrastructure at scale. Dismantling one network may only pave the way for another one to emerge without a unified global effort.
The emergence of Magic Mouse following the fall of Magic Cat demonstrates the resilience and adaptability of organized cybercrime. Phishing-as-a-Service models make it easy for new actors to step into the void when one network is dismantled. Hence, unless systemic vulnerabilities in payment processing and digital communication channels are addressed, similar operations will continue to emerge. Each new threat could be more efficient than the last.
FURTHER READINGS AND REFERENCES
- Leiknes, E. and Sand, H. 2025. “Exposing Darcula: A Rare Look Behind the Scenes of a Global Phishing-as-a-Service Operation.” Mnemonic Blog. Mnemonic. Available online
- Whittaker, Z. 10 August 2025. “After Researchers Unmasked Prolific SMS Scammer, A New Operation Has Emerged In Its Wake.” TechCrunch. Available online