They post photos of themselves on social media in designer outfits and standing next to luxury cars with butterfly doors or partying in exclusive clubs – likely paid for with the money from their hapless victims. An international network of online scammers is using fake text messages to steal credit card details from huge numbers of people and raking in piles of cash. Bayerische Rundfunk and its international partners have now been able to identify central figures in one of the largest phishing networks in the world – a ring that is also thought to be behind tens of thousands of scams in Germany as well.
The scammers operate from Asia, their fraud enabled by a mastermind who calls himself Darcula – a name reminiscent of Count Dracula. They send millions of messages like the following to smartphones around the world: "Hello, a hold has been placed on your DHL Express parcel. Please review and update your shipment information below." That is how they lure their victims into the trap.
BR reporters have been able to reconstruct the fraud in detail using a database created by the criminal network in which hundreds of thousands of victims are listed along with a copy of the software they use for the fraud and more than 40,000 text messages from internal chat groups on a messenger service. The Norwegian cyber-security company Mnemonic made the data available to BR, to the Norwegian public broadcaster NRK and to the French newspaper "Le Monde". The international reporting project has revealed in detail the global scale of the scheme.
"Magic Cat" Creates Fake Websites
The software used for the fraud is called "Magic Cat", and it allows for the creation of almost perfect imitations of websites belonging to companies and organizations in more than 130 countries with just a few clicks. The scammers frequently create copies of postal and package delivery companies, but electricity utilities and official agencies are also in their portfolios. In Germany, our reporting has found, fake DHL websites appear to be the preference.
As soon as someone opens a fake website, the software produces a computer voice in Chinese: "A user has successfully opened the website." The scammers can then follow in real time as users enter their data. The data can even be captured if users then try to delete it.
Darcula Develops the Software and Connects the Scammers
The developer of Magic Cat calls himself Darcula. His profile image on one messenger service shows a cat. Darcula ensures that very little personal information is publicly available, but our reporting has discovered that a 24-year-old Chinese man named Yucheng C. is likely behind the Magic Cat software. The team of reporters has obtained a photo of his ID showing a young man with dark hair. According to the document, he is from the central Chinese province of Henan. His current location is unclear.
In the database provided to BR, there are no indications that the software developer himself is stealing credit card data. Using go-betweens, he apparently leases the software to other perpetrators, who must pay several hundred dollars a week. For some time, Darcula also administered a chat group where many scammers networked with each other. Some perpetrators offer courses for those wanting to improve their fraud skills. Others provide their services in sending huge numbers of text messages to certain countries.
The IT expert Ford Merrill from SecAlliance/CSIS, a consultant to security agencies in several countries who specializes in fraudulent schemes involving text messages, says that the programmer Darcula has been “remarkably successful.” According to his findings, between 70 and 80 percent of all phishing websites use his fraud software. Darcula, he says, is one of the “most productive actors” in the scene.
The young Chinese man believed to be behind the Darcula profile left the reporters’ questions unanswered. After the reporters tried to establish contact with him, another person got in touch who claimed not to be Yucheng C., but said they worked together. The person said that Yucheng C. develops and sells the software – but claimed that it was for the creation of websites and not for credit card fraud.
Harrison Sand from the Norwegian security firm Mnemonic, which had tracked Darcula’s activies, has his doubts. The purpose of the software, he says, is to target the general public and steal credit card details. “Based on our observations, we see no way that this software could have been used for legitimate purposes.”
Hundreds of Thousands of Credit Cards Stolen
The database lists scam victims from a time period extending from late 2023 to summer 2024. An analysis performed by BR found that during that time period, more than 900,000 people around the world apparently provided their credit card information.
In Germany, more than 20,000 people typed their credit card numbers into the fraudulent web pages. Around 4,000 of them also entered a verification code from their bank. Using these codes, fraud perpetrators can store the cards in digital wallets like Apple Pay and Google Pay.
Photos from the chat groups indicate that the perpetrators actually did store the stolen credit card information in digital wallets. The images show smartphones on which more than a dozen cards are saved. They can be used without having to enter an additional PIN number, meaning victims can be defrauded several times in succession.
BR spoke with more than 100 victims in Germany. Many of them confirmed that they did, in fact, lose money through the scam.
The internal chatgroups also show that some of the perpetrators use their own payment terminals. This allows them to use the copied credit cards from home. Others post photos of receipts in the chat and on social media after making purchases in luxury stores.
A Major Player Goes Into Hiding
The reporters were able to identify one of the most active players in the Darcula network. Operating under the name X667788X, he has apparently defrauded thousands of people with Magic Cat – or participated in those frauds. That can be seen in a database listing the victims. He also teaches others how to defraud victims as successfully as possible, distributes the software to other scammers and offers to send text messages on behalf of fraud perpetrators. He brags about how much money he earns through the scam.
The reporting has shown that a young man who calls himself “Kris” is behind the X667788X name. He is originally from the metropolis of Xi’an in China, though he spent months operating from the Thai capital of Bangkok, posting photos from expensive sushi restaurants and with Lamborghinis. Recently, a post of his indicated he was back in China; it was from a racetrack near Shanghai. After BR and NRK began asking about him among his contacts in Bangkok, he deleted posts showing his face.
In a chat with reporters, the man behind the name X667788X denied being Kris. “I am X66, but all the information you have found is wrong.” Kris then deleted his remaining posts from Instagram.
No Investigation Despite Many Victims
Despite tens of thousands of victims in Germany, the Federal Criminal Police Office (BKA) is not conducting any investigations into the fraud network surrounding Darcula and Magic Cat. When contacted for comment, Germany’s Federal Criminal Police Office (BKA) wrote that it has been aware of the “Darcula Group” since October 2024. The group, the agency wrote, is being monitored on an ongoing basis “to assess the phenomenon,” adding: “The challenges in investigations against internationally active phishing groups lie in international, possibly non-contractual police cooperation.”
The logistics company DHL, whose website is a particularly favorite target of falsification by those seeking to defraud people in Germany, replied: “Please have understanding for the fact that we do not comment on cyber security issues.”
This article is part of the international reporting project “Darcula Unmasked” by NRK (Norway), Le Monde (France) and Bayerischer Rundfunk.
Das ist die Europäische Perspektive bei BR24.
"Hier ist Bayern": Der BR24 Newsletter informiert Sie immer montags bis freitags zum Feierabend über das Wichtigste vom Tag auf einen Blick – kompakt und direkt in Ihrem privaten Postfach. Hier geht’s zur Anmeldung!