A widespread SMS scam that has targeted millions across the US and beyond continues to evolve, with a new, even larger operation replacing a recently exposed fraud network.
During a seven-month stretch in 2024, this scam collected at least 884,000 stolen credit card details, with victims losing thousands of dollars in some cases.
How does the scam work?
The scam involves sending fake text messages posing as legitimate alerts: unpaid tolls, undelivered packages, or government programs, tricking victims into clicking phishing links. Once victims enter their credit card details, scammers steal and misuse the information.
Researchers at Oslo-based security firm Mnemonic, together with investigative reporting by Norwegian media, identified the developer behind the scam software, known as Magic Cat. The operator, a 24-year-old Chinese national named Yucheng C., used the handle “Darcula” and created the software sold to hundreds of clients who launched SMS phishing campaigns.
After Mnemonic’s exposure, the original scammer went silent, leaving his customers without updates. But a new operation called Magic Mouse quickly emerged, growing far larger and more aggressive than its predecessor.
Mnemonic’s offensive security consultant Harrison Sand shared insights ahead of the Def Con security conference, highlighting Magic Mouse’s rapid rise and alarming scale. According to Sand, Magic Mouse now steals at least 650,000 credit cards every month.
Evidence from Telegram channels previously administered by Darcula showed photos of credit card payment terminals and videos of dozens of phones automating mass SMS campaigns. The stolen card data is loaded onto mobile wallets for fraudulent payments, with funds laundered through various bank accounts.
Though Magic Mouse appears to be a distinct operation with new developers, much of its success relies on stolen phishing kits originally used by Magic Cat. These kits mimic the websites of major tech companies, popular services, and delivery firms to deceive victims into submitting payment details.
Despite the scale of theft and the vast sums involved, law enforcement response remains limited, focusing on isolated fraud reports rather than tackling the operation as a whole.
Sand argues that responsibility partly lies with tech companies and financial institutions for failing to implement stronger safeguards against stolen card use, allowing scammers to thrive.
For users, the safest advice remains to ignore unsolicited, suspicious text messages to avoid falling victim to these evolving scams.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
