Massive Credit Card Theft Rings Alarm Bells in Tech Community

A prolific scamming operation has emerged in the wake of the takedown of Magic Cat, a notorious software platform used to launch SMS text message scams. Researchers at Oslo-headquartered security firm Mnemonic have sounded the alarm on the new operation, Magic Mouse, which has already surpassed its predecessor in terms of scale and success.

According to Harrison Sand, an offensive security consultant at Mnemonic, Magic Mouse has been surging in popularity since the demise of Darcula’s Magic Cat. Sand warns that the operation’s growing ability to steal people’s credit cards on a massive scale poses a significant threat to consumers. During a period of seven months in 2024, the scam netted at least 884,000 stolen credit card details, allowing scammers to cash in on their victims’ accounts. Some victims lost thousands of dollars in the scam, researchers say.

The scammers behind Magic Mouse use stolen credit card details in mobile wallets on phones to conduct payment fraud, laundering their funds into other bank accounts. Researchers have found photos from inside the operation posted in a Telegram channel, showing a line-up of credit card payment terminals and videos showing racks with dozens of phones used for automating the sending of messages to victims. These phones had mobile wallets overflowing with other people’s stolen cards, ready to be used for mobile transactions.

Sand estimates that Magic Mouse is already responsible for the theft of at least 650,000 credit cards a month. The operation’s success stems from the new operators stealing the phishing kits that made Magic Cat’s software so popular. These kits contain hundreds of phishing sites that mimic the legitimate web pages of major tech giants, popular consumer services, and delivery firms, designed to trick victims into handing over their credit card details.

Despite the prolific nature of Magic Cat and Magic Mouse, law enforcement appears to be slow to respond. Sand argues that the tech companies and financial giants shoulder much of the responsibility for allowing these scams to exist and thrive, and for not making it more difficult for scammers to use stolen cards. Sand notes that law enforcement is not looking beyond a few scattered reports of fraud or at the wider operation behind the scheme.

For consumers, ignoring unwanted text messages may be the best policy. As Sand notes, the best way to protect oneself from these scams is to be vigilant and cautious when it comes to unsolicited messages. Sand suggests that consumers should be wary of any messages that ask for sensitive information or prompt them to click on a link. “If it seems too good (or too bad) to be true, it probably is,” Sand advises.

The emergence of Magic Mouse has raised concerns about the ease with which scammers can operate and the lack of effective measures to prevent these types of scams. Sand notes that more needs to be done to educate consumers about the risks of these scams and to develop more effective ways to detect and prevent them.

A Timeline of the Magic Cat and Magic Mouse Scams

• 2024: Magic Cat, a notorious software platform used to launch SMS text message scams, is taken down by security researchers.
• 2024: Researchers at Mnemonic discover a new operation, Magic Mouse, which has already surpassed its predecessor in terms of scale and success.
• 2024: Magic Mouse is estimated to have stolen at least 884,000 credit card details in a period of seven months.
• 2025: Researchers sound the alarm on Magic Mouse, warning of its growing ability to steal people’s credit cards on a massive scale.
• 2025: Law enforcement appears to be slow to respond to the Magic Mouse scam, with Sand arguing that the tech companies and financial giants should take more responsibility for allowing these scams to exist and thrive.