Asian Cybercrime Ring Targeting Credit Card Data via Fake DHL Messages

Sun 4th May, 2025

An extensive international phishing operation has reportedly been uncovered, involving a network of online criminals orchestrating a massive scheme to steal credit card information through fraudulent text messages. The operation has been linked to tens of thousands of phishing incidents in Germany alone.

According to investigations by the Bavarian Broadcasting Corporation (BR), in collaboration with Norway's NRK and France's Le Monde, this network is believed to be among the largest phishing rings globally. Operating primarily from Asia, the gang uses deceptive messages that appear to originate from DHL, claiming issues with package deliveries due to incomplete address information. Victims are lured into clicking links that lead them to counterfeit websites designed to harvest their personal and financial details.

The reports indicate that the mastermind behind this operation goes by the alias 'Darcula', drawing a parallel to the infamous vampire character. This individual allegedly orchestrates the phishing attacks by disseminating millions of messages worldwide, targeting unsuspecting smartphone users.

The foundation of the investigation was a database belonging to the criminals, which contains extensive records of victims, the fraudulent software they utilized, and over 40,000 messages exchanged in their internal communication channels. The Norwegian cybersecurity firm Mnemonic reportedly provided this data to the media.

Further insights reveal that the fraudulent software, dubbed 'Magic Cat', allows criminals to create highly convincing replicas of websites belonging to various companies across more than 130 countries. The most commonly imitated sites are those belonging to postal, package delivery services, energy providers, and government agencies, with DHL being a primary target in Germany.

Once a victim accesses a counterfeit page, the software generates a notification in Chinese, indicating that a user has successfully visited the site. The perpetrators can monitor in real-time as victims input their information, ensuring that data is collected even if the user attempts to delete it afterwards.

Interestingly, while 'Darcula' is believed to be a 24-year-old Chinese national named Yucheng C., there is no evidence suggesting that he personally collects credit card data. Instead, he seems to rent out the 'Magic Cat' software to other criminals, charging several hundred dollars per week for access.

The data examined covers incidents from late 2023 to mid-2024, revealing that nearly 900,000 individuals worldwide may have shared their credit card details. In Germany, approximately 20,000 users entered their credit card information on these fraudulent sites, with around 4,000 also providing verification codes from their banks, enabling the criminals to load these cards into digital wallets like Apple Pay and Google Pay.

Images from chat groups associated with the operation suggest that the thieves have successfully added stolen credit cards to digital wallets, allowing them to conduct transactions without requiring additional PINs. This facilitates repeated thefts from unsuspecting victims.

Following the reports, the BR stated that they had spoken with over 100 affected individuals in Germany, many of whom confirmed losses resulting from this fraud scheme. Despite the scale of the operation, the Federal Criminal Police Office (BKA) in Germany reportedly has not initiated any investigations against the network linked to 'Darcula' and 'Magic Cat'. The BKA has acknowledged awareness of the 'Darcula' group since October 2024, indicating that it is under observation for assessment purposes.

Challenges in investigating such international phishing operations stem from the complexities involved in international law enforcement collaboration. The BKA emphasized the difficulties in pursuing groups that operate globally and often evade jurisdictional limitations.

DHL has refrained from providing detailed comments regarding cybersecurity matters, urging patience from the public as they navigate these issues.


More Quick Read Articles »