Operation Magic Cat: Google Sues to Dismantle the Chinese “Darcula” Phishing Empire
Google has filed a lawsuit against a Chinese-speaking group it describes as a central driver behind a massive wave of phishing SMS attacks across the United States in 2025. According to Google, the group—known as Darcula—sells tools that enable even individuals with minimal technical expertise to conduct large-scale campaigns impersonating government agencies and major brands, luring victims to counterfeit websites and harvesting credit card data.
The complaint alleges that Darcula markets a software toolkit designed to launch SMS campaigns “at scale,” complete with sender spoofing—posing, for example, as the IRS or the U.S. Postal Service. The group’s flagship product, Magic Cat, is described as a streamlined, intuitive builder that allows operators to flood millions of phone numbers with links to fake pages mimicking Western services and companies, then collect the payment information victims unwittingly enter, including credit card numbers.
Google says the purpose of the lawsuit is to secure legal authority from U.S. courts to seize and take control of the websites and other web infrastructure underpinning Darcula’s operations. The company is seeking a temporary restraining order that would allow it to lawfully assume control of that infrastructure and shut it down, thereby disrupting both the SMS campaigns and the fraudulent landing pages.
The identities of Darcula’s members remain largely unknown. Google notes that the group communicates primarily in Simplified Chinese. The complaint names a suspected leader, Yucheng Chang, but efforts to contact him were unsuccessful. The filing also references 24 additional defendants whose identities have not been disclosed, as Google says it does not yet know who they are. According to the company, Chang resides in China, while other participants are believed to be located in China or elsewhere.
Google emphasizes that cybercrime ecosystems like this often thrive in jurisdictions that are reluctant to cooperate with U.S. law enforcement, making direct intervention extremely difficult. As a result, major technology companies—including Google and Microsoft—periodically turn to the courts as a strategic tool, using legal orders to seize domains and websites tied to criminal infrastructure and disable them at the network level.
Earlier this year, Darcula openly showcased the capabilities of its tools. In videos posted to a Telegram channel, the group demonstrated how to configure SMS campaigns warning recipients of allegedly unpaid E-ZPass tolls. That Telegram channel has since gone offline, and no comment from the group could be obtained.
In a statement, Google Vice President of Litigation Cassandra Knight said the company is going to court to “shut down the infrastructure” behind a large-scale fraud operation. Google estimates that this operation accounted for roughly 80% of all phishing SMS messages during a certain period earlier this year. The company claims that Darcula and its affiliates may have stolen nearly 900,000 credit card numbers, including almost 40,000 belonging to U.S. residents. Between September and November alone, Google received more than 5,000 complaints from users of Google Messages—the default SMS app on Google Pixel smartphones—about messages linked to Darcula’s schemes.
The lawsuit also references an investigation by Norwegian broadcaster NRK, which analyzed large datasets related to Magic Cat obtained by cybersecurity researchers. NRK concluded that more than 600 operators were behind the SMS campaigns. According to the investigation, despite the wide array of disguises used to impersonate Western companies and government agencies, Magic Cat’s tools did not allow campaigns to masquerade as messages sent on behalf of China.
The case fits into a broader pattern of escalating cybercrime losses in the United States. According to the FBI’s Internet Crime Complaint Center annual report, Americans reported a record $16.6 billion stolen by cybercriminals last year.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
