The Hunt for Darcula

You might have received a text message from a somewhat strange phone number saying a package is on its way to you.

But to receive the package, you have to click on a link and fill out a form asking for your credit card details.

You are about to be scammed.

Who is behind it?

A 19-year-old man quits a tech company after just one month on the job. Unlike many other young people who share from their lives online, he keeps a low profile.

Three years later, a software program designed for scamming is launched — tailored to deceive you and me.

The program is called Magic Cat and uses this white cat as its logo:

It is used by hundreds of scammers worldwide. To use the program, scammers must pay money to the architect of Magic Cat.

The Mastermind.

Many have tried to find him.

An Israeli security expert attempted it in 2023 but only uncovered a strange name:

Darcula.

The following year, the security company Netcraft reported that Darcula had «emerged from the shadows» and was scamming people in more than a hundred countries.

Shortly after, Norwegian telecommunications company Telenor, warned Norwegian users. Messages from the program were described as a «widespread problem.»

However, Darcula's true identity remained a mystery. Darcula uses profile pictures of cats to protect his anonymity.

Over the past year, NRK has investigated over fifty digital accounts potentially connected to Darcula.

Is it possible to discover who is hiding behind the cat pictures?

NORWEGIAN VERSION: Read this story in Norwegian here.

100,000 kroner disappeared

The message said a package was on its way. Lars didn't think twice about it.

Lars is not his real name, and remains anonymous out of consideration for his job.

He’s in his 40s, lives in Eastern Norway, and had just started his own business when the text message arrived.

Lars clicked the link in the message, filled out the form with his card details, and forgot all about it.

The scammer who tricked Lars used Magic Cat, the software Darcula had created.

When Lars checked his online bank account five days later, he was shocked.

Over 100,000 Norwegian kroner (NOK) was gone.

Lars could see over fifty unknown transactions. Between shopping trips to Rema 1000 and Meny, his card had been used to pay at «SHANG HAI XING BA KE K» and «Ding Tai Feng.»

NRK has seen documentation on this.

– I picked up my phone straight away to call the bank and the police, says Lars.

A wave of fraud

Darcula's software has contributed to a wave of digital frauds washing over Norway.

In the last three years, the police have recorded around 76,000 cases related to fraud.

One of the most common methods is called phishing. It’s a scam method where criminals fish for sensitive information to steal someone’s identity or money. This is the type of scam Magic Cat is designed for.

Unique figures NRK has obtained show that people in Norway have clicked on scam messages linked to Magic Cat 138,000 times over a period of seven months.

– Nobody Knew Who

In an office in Oslo before Christmas 2023, two IT security experts were feeling frustrated.

– There were warnings about scam messages, but nobody knew who was sending them, says IT expert Harrison Sand.

NRK has recently told the story of how he and his colleague Erlend Leiknes at the company Mnemonic in Oslo used a scam message they received to analyze the scammer's methods.

They developed a software program that allowed them to look behind the scenes. There, they found a list of hundreds of people who had been deceived by a scammer. Among the names, they stumbled upon some technical messages.

One of them made the duo pause.

Darcula.

– My gut feeling told me this was important, says Sand.

To many, Darcula may sound like a misspelling of the famous fictional vampire Dracula. But developers know it’s also the name of a dark color palette.

Perhaps a fitting alias for someone who prefers to operate in the shadows?

Cats like fish

The word Darcula gave them search results on the messaging service Telegram.

Both a group and a profile shared the same name, each with an image of a cat.

Since cats like fish, it might be a fitting icon for those engaged in phishing.

Inside the Telegram group, Darcula was promoting his software, Magic Cat.

He worked hard to fix errors in the software when scammers complained about something not functioning properly:

Over the past year, NRK has monitored Darcula's scam groups on Telegram. We have read thousands of chat messages in search of information about the person behind the cat pictures.

Darcula gives no indication of who he really is or where in the world he is located.

The only thing he says about himself is this:

– Effective Weapon

A computer loaded with Darcula's software, Magic Cat, is placed on a table.

In the meeting room sits Tom Espen Weie. He is the head of the department for economic crime at Sparebank1 SMN and has previously worked for the police.

Now, he is about to see how Magic Cat operates.

– It's absolutely insane! he says.

Weie believes Magic Cat signifies a major shift: Now scammers can rob more people even faster than before.

– This is very sophisticated and advanced software. Right after you enter the card details, it becomes available to the scammers, says Weie.

Through investigations into Magic Cat, NRK has obtained information about 19,000 people in Norway who, over a period of seven months, have been tricked into giving up their card details.

In the data, NRK found over 300 customers from Sparebank1 SMN.

Data from the bank shows how quickly scammers can strike. One customer experienced their card being used twelve times on the Chinese online store AliExpress within ten minutes.

During this time, the scammer managed to spend 50,000 NOK.

An Important Lead

Harrison Sand and Erlend Leiknes, the IT security experts from Mnemonic, acquired Darcula's software, Magic Cat, and turned it inside out.

Their investigation led them to a skyscraper in Los Angeles.

On the skyscraper's third floor, Magic Cat's main server was likely located.

The very heart of Darcula's fraud operations. From there, he controlled Magic Cat and kept track of his clients.

Leiknes and Sand discovered a critical digital footprint: An IP-address possibly linked to the mastermind. The IP address was registered with one of China's largest cloud service companies.

Could Darcula be in China?

They couldn't confirm this, as it's possible to purchase an IP-address from the company. It’s a well-known tactic for those who want to stay hidden.

The experts investigated if this specific IP-address had been used for anything else previously and found a shutdown blog from 2022.

– It seemed random at first glance, but we kept digging deeper down the rabbit hole, says Sand.

Darcula is the Biggest

There are hundreds of Chinese scam groups sending deceptive messages, but one player is clearly the largest, according to security researcher Ford Merrill.

– From what we can see, Darcula is one of the biggest and most experienced players. Darcula was already active when we began monitoring these groups in August 2023, says Merrill.

He works for the company SecAlliance, linked to CSIS in Copenhagen, and may be the world's leading expert on how groups of Chinese criminals have professionalized messaging scams globally.

– Since last autumn, 70-80 percent of scam messages from such groups have originated from Magic Cat. The program offers over three hundred fake websites from around the world, while its nearest competitor has only thirty.

According to Merrill, there are also some Russian-language messaging scam groups.

– But they are nowhere near the size and scope of the Chinese-speaking groups, he says.

Unique data obtained by NRK reveals that, in seven months, scammers have used Magic Cat to collect 884,000 cards worldwide.

– The person behind Magic Cat has been highly successful. Darcula is likely one of the original developers of the program, says Merrill.

The Name

Erlend Leiknes and Sand Sand examined the shutdown blog from 2022 carefully.

They discovered both an email address and a username. The username was also used on the site GitHub.

There was an account there with an image of a Japanese comic figure.

The account had also shared source code that reminded them of what they had seen when examining Magic Cat.

– We saw that this was a developer who used much of the same technology that Magic Cat was built on, says Sand.

But it didn’t end there.

On GitHub, they also found a new email address and two intriguing documents.

In the documents' metadata, there was a Chinese name.

Yucheng C.

Was this Darcula's real name?

– A Shame for Humanity

Lars, the business owner from Eastern Norway, reported the fraud of over 100,000 NOK.

The police decided not to investigate further and closed the case. Lars felt disappointed.

– It's a bit sad that they don't even try to unravel things. It makes me wonder what the police are really doing. Do we have such big problems in society that they can only work on the most serious cases? he tells NRK.

NRK asked the police what they did to find the perpetrator.

– Since all information indicates that the fraud occurred from abroad, no further investigation has been conducted beyond acknowledging this, replies the police prosecutor responsible for the case.

Lars also contacted his bank to explain what happened. After filling out a form, the bank compensated him for his loss.

– But it's really all of us that pays for it, he says.

Lars concludes that those who scammed him have no shame.

– I get irritated and angry. They have no honor or pride in life when they are stealing money that others have worked hard for. It is a disgrace to humanity.

1000 Possible Combinations

With the name Yucheng C. and two email addresses, it was possible to continue the hunt for Darcula.

NRK and Mnemonic investigated whether these email addresses had been used to create profiles on social media and other digital services.

We found several profiles where the same images, of cats and Japanese comic figures, appeared.

On Instagram, we also discovered a profile picture showing a sleeping child with drawn-on whiskers and rabbit ears. Slightly odd.

A PayPal account was linked to both one of the email addresses and a phone number.

It was possible to see some digits of the number, and the country code revealed it was a Chinese number.

The next clue was found on a YouTube account, which had published a video clip of a cat eating.

The YouTube account also had another video clip where a mobile screen was shown briefly. In the corner of the mobile screen, four Chinese characters were visible.

They showed which telecom operator the phone was associated with.

In China, each telecom operator has fixed numbers, so knowing the operator, more digits fell into place.

Now, three digits remained.

This meant 1000 possible combinations.

– A Shot in the Dark

The IT security experts compared the thousand possible combinations with lists of phone numbers from data breaches published online.

– It was a shot in the dark, says Erlend Leiknes.

But the shot paid off. Seven of the phone numbers were in a database of data breaches.

One of them was linked to a profile on a popular Chinese social media platform. They had seen the profile picture before: The sleeping child, with drawn-on whiskers and rabbit ears.

The experts decided to investigate this phone number further and made a breakthrough.

The number had been used to register a web domain.

The domain owner's name was one they had seen before:

Yucheng C.

The Man from Henan

NRK found variations of this name in several places, including in user manuals for the Magic Cat program in scam groups on Telegram associated with Darcula.

NRK asked Xavier Huang, an independent investigator specializing in China, to look into the Chinese phone number.

According to Huang, it belongs to a young Chinese man named Yucheng C.

He is 24 years old and from the Henan province in China.

The sum of NRK's investigations shows that Yucheng C. is behind the criminal persona Darcula.

This is his ID card:

«We don't want to lose him»

«Yucheng, I wish to speak with you.»

NRK sends Darcula a direct message, using his real name.

A few days later, someone calling themselves Lao Liu contacts us to respond to the inquiry.

«Yucheng is employed by our company. He resigned a week ago.»

Liu is unwilling to disclose the company's name or where it's registered, citing privacy concerns.

«Why did Yucheng resign?»

«It might be due to you, so I need to know what you want.»

«We are writing about Magic Cat and wish to speak with those behind the software.»

«There are many people behind the program, and I am one of them.»

«Is it true that Yucheng C. is one of them?»

«Yes. He sells the most.»

«Is he one of the founders of Magic Cat?»

«You can publish that, it doesn't matter. The income belongs to the company; he just gets the salary.»

«Is he the creator of Magic Cat?»

«He is just one of the technologists who developed the program. (...) We don't want to lose him.»

Denies Fraud

NRK points out that Magic Cat is used to scam people. Liu denies that the company is involved in fraud.

«We only sell the software that creates websites. We do not encourage people to use it for phishing. We are involved in network security and fraud prevention.»

«NRK can document that Darcula on Telegram communicates with and assists people using Magic Cat for scams. How do you explain this?»

«We only sell the software. We do not know the users.»

«Are you aware that Magic Cat is used for fraud?»

«I know, we will shut it down.»

New Version of Magic Cat

As this story is published, there is no indication that Magic Cat has been shut down.

Instead, a new version of Magic Cat has recently been released.

It is more advanced and makes it even easier to deceive people and take their money.

Read also: Mnemonic's technical report from their fraud investigation.