If you, like practically anyone else with a cell phone in the U.S. and beyond, have received a scam text message about an unpaid toll or undelivered mail item, there’s a good chance you have been targeted by a prolific scamming operation.
The scam isn’t particularly complex, but it has been highly effective. By sending spam text messages that look like genuine notifications for popular services, from postal deliveries to local government programs, unsuspecting victims click a link that loads a phishing page, they enter their credit card details, and that information is swiped and used for fraud.
During a period of seven months in 2024, the scam netted at least 884,000 stolen credit card details, allowing scammers to cash in on their victims’ accounts. Some victims lost thousands of dollars in the scam, researchers say.
But a series of opsec mistakes ultimately led security researchers and investigative journalists to the real-world identity of the maker of the scamming software, Magic Cat, who researchers say goes by the handle Darcula.
As revealed by the Oslo-headquartered security firm Mnemonic and reported in tandem by Norwegian media earlier this year, behind the fluffy cute cat in Darcula’s profile photos is a 24-year-old Chinese national named Yucheng C.
The researchers say Yucheng C. develops Magic Cat for his hundreds of customers, who use the software to launch their own SMS text message scam campaigns at their victims.
Soon after he was unmasked, Darcula went dark and his scam operation has not seen any updates since, leaving his customers in the lurch. But in its wake, a new operation has emerged and is already vastly outpacing its predecessor.
Researchers are now sounding the alarm on the new fraud operation, Magic Mouse, which rose from the ashes of Magic Cat.
Ahead of sharing new findings at the Def Con security conference in Las Vegas on Friday, Harrison Sand, an offensive security consultant at Mnemonic, told TechCrunch that Magic Mouse has been surging in popularity since the demise of Darcula’s Magic Cat.
Sand also warned of the operation’s growing ability to steal people’s credit cards on a massive scale.
During their investigation, Mnemonic found photos from inside the operation posted in a Telegram channel that Darcula administered, showing a line-up of credit card payment terminals and videos showing racks with dozens of phones used for automating the sending of messages to victims.
The scammers use the card details in mobile wallets on phones and conduct payment fraud, laundering their funds into other bank accounts. Some of the phones had mobile wallets overflowing with other people’s stolen cards, ready to be used for mobile transactions.
Sand told TechCrunch that Magic Mouse is already responsible for the theft of at least 650,000 credit cards a month.
While evidence suggests Magic Mouse is an entirely new operation, coded by new developers and likely unrelated to Darcula, much of Magic Mouse’s success stems from the new operators stealing the phishing kits that made its predecessor’s software so popular. Sand said these kits contain hundreds of phishing sites that Magic Cat used to mimic the legitimate web pages of major tech giants, popular consumer services, and delivery firms, all designed to trick victims into handing over their credit card details.
But despite the prolific nature of Magic Cat and, now, Magic Mouse, and their ability to net millions of dollars in stolen funds from consumers, Sand told TechCrunch in a call that law enforcement is not looking beyond a few scattered reports of fraud or at the wider operation behind the scheme.
Instead, Sand said, it is the tech companies and financial giants who shoulder much of the responsibility for allowing these scams to exist and thrive, and for not making it more difficult for scammers to use stolen cards.
As for anyone who receives a suspicious text, ignoring an unwanted message might be the best policy.