An international investigation has shed light on a sophisticated fraud network that has successfully deceived approximately 900,000 individuals.

The Scam Unveiled

The tactics employed in this phishing scheme are both familiar and effective. Victims receive messages on their smartphones, often impersonating well-known companies like DHL, claiming there is a parcel awaiting collection. The message typically prompts the recipient to pay a fee to retrieve the package. However, clicking the link leads to a meticulously designed fraudulent website that mimics the legitimate company, where users are asked to input their credit card information. Those who comply inadvertently hand over their sensitive financial data, which is then exploited by criminals for illicit purchases.

Investigative Findings

According to a joint investigation by Bayerischer Rundfunk (BR), Norwegian broadcaster NRK, and the French newspaper Le Monde, this operation is underpinned by a well-organized network of cybercriminals. The inquiry began with a detailed analysis of the phishing tactics and technology used, initiated by the Norwegian cybersecurity firm Mnemonic, which received a fake message from the Norwegian postal service as a starting point.

The fraudulent links were cleverly obscured from direct scrutiny; they could only be accessed via mobile networks and specifically through smartphone browsers. By tracing these links, security researchers were able to navigate the complex web of the fraudsters. Over seven months, they gained access to internal communications among the criminals, including chats on Telegram. The fraudsters utilized a software tool known as 'Magic Cat,' which employs artificial intelligence to generate convincing fake websites.

The Key Figure: Yucheng C.

The investigation ultimately led to a 24-year-old individual named Yucheng C., also known as 'Darcula,' who is believed to be based in China. This alias was previously assigned to the network by other cybersecurity analysts. While Darcula is not directly involved in handling stolen credit card data, he is identified as the creator of the 'Magic Cat' software, which is reportedly rented out to other criminals for several hundred dollars per week as a Software-as-a-Service (SaaS) model. The phishing attempts are executed through a network of devices, some of which were showcased in images shared within the Telegram groups.

Widespread Impact

Reports indicate that this phishing network operates across approximately 130 countries, involving around 600 participants. From late 2023 to mid-2024, the links associated with these scams received 13 million clicks, resulting in 884,000 individuals entering their credit card information. With a success rate of approximately 1 in 14, the substantial investment in technology and time proves to be lucrative for these criminals.

Phishing Tools and Targeted Companies

The Norwegian broadcaster has highlighted that 'Magic Cat' simplifies the process for scammers, providing templates for fraudulent websites of around 300 different companies. An Excel document released by NRK outlines these companies, which include major German firms like DHL, Telekom, and Hermes, as well as sites related to broadcasting fees. The software also facilitates the imitation of banking websites and various logistics companies, while no listings for Chinese entities are included.

Current Status of Investigations

In response to inquiries, the Federal Criminal Police Office (BKA) of Germany confirmed that they have been monitoring the phishing network since October 2024. However, no concrete investigations have been initiated. The BKA cited challenges in pursuing international phishing groups due to the complexities of police cooperation across borders, particularly when primary actors are based in Asia. DHL, which has received numerous complaints about phishing attempts, declined to comment on cybersecurity matters.