Magic Mouse: The Evolution of a Global SMS Phishing Epidemic
A wave of SMS fraud sweeping across the United States and beyond has entered a new and more insidious phase. Behind seemingly mundane yet convincing messages about unpaid fines or failed deliveries lies a vast, highly efficient data theft apparatus. Recent research has shed light on the inner workings of these attacks and the individuals orchestrating them.
The campaign, dubbed Magic Cat, operated according to a simple yet ruthlessly optimized playbook. Victims would receive messages visually indistinguishable from legitimate courier or postal notifications. Clicking the embedded link would lead to a phishing page where the target entered payment details—instantly delivered into the hands of cybercriminals. Over just seven months in 2024, Magic Cat compromised at least 884,000 credit cards. Some victims lost thousands of dollars to these fraudulent sites.
The software at the heart of this scheme was created by 24-year-old Chinese national Yucheng S., who operated under the alias Darcula. His product—Magic Cat—was sold to dozens of scam operators, each running their own phishing pages and SMS campaigns using this all-in-one deception toolkit. Far from hiding in the shadows, Darcula openly administered a Telegram channel where he detailed his operations. Investigators were able to identify him after a series of operational security blunders.
Not long after his exposure, Darcula vanished from the internet, and Magic Cat updates ceased. But the vacuum did not last. According to researcher Harrison Sand from Mnemonic and Norwegian media reports, a new contender emerged—Magic Mouse. Despite its different origin and development team, this operation inherited the entire Magic Cat arsenal, including phishing templates mimicking the websites of well-known brands, services, and logistics companies. With these ready-made clones at its disposal, Magic Mouse quickly became even more dangerous than its predecessor.
The scale of Magic Mouse’s activity is staggering. Mnemonic estimates the operation steals over 650,000 card records each month. Researchers found photos in Darcula’s old Telegram channel showing PoS terminals used by the scammers, along with videos of shelves lined with dozens of phones blasting out automated SMS messages. Stolen cards were loaded into mobile wallets, enabling fraudulent transactions and laundering of illicit proceeds.
Although no direct link between Darcula and Magic Mouse has been proven, the structural and methodological similarities are striking. The very fact that the scam infrastructure has been relaunched on such a scale underscores the immense profitability of this criminal enterprise. Despite the severe damage inflicted on consumers, law enforcement responses remain tepid, leaving much of the burden of prevention to IT companies and banks forced to deal with the fallout of stolen card use.
Researchers stress that until systemic measures are implemented, the only truly effective defense is to ignore suspicious messages. Never click links, never enter personal data, and never trust even the most convincingly worded requests—a basic rule reaffirmed by every new investigation into the tactics of social engineering.
