Last updated: June 4, 2026
# The Text That Stole a Billion Dollars
The message arrives while you’re making dinner. “We attempted delivery of your package. Reschedule here:” and a link. You tap it without thinking because you ordered something last week. Or was it two weeks ago? Hard to keep track.
That tap just connected you to a phishing operation that stole over a billion dollars in three years.
The group behind it calls themselves Darcula. Law enforcement calls them Smishing Triad. Google called them out in a lawsuit after tracking their infrastructure across 121 countries. On one day in 2025, they sent 330,000 fake delivery texts. Not across a week. A single day.
The scale doesn’t make sense until you realize how many people expect packages at any given moment. Amazon alone delivers ten million packages daily in the United States. FedEx and UPS add millions more. Somebody you know — probably you — is waiting for a box to show up. That cognitive overlap is the entire con.
The fake text doesn’t need perfect information. It just needs plausible timing. And on a smartphone screen, with your thumbs already moving, the URL looks close enough. “amz-delivery.info” passes for legitimate when you’re half-distracted and the text sits between a group chat and a calendar reminder.
What Happens After the Tap
You land on a website that looks exactly like FedEx. Or USPS. Or Amazon. The branding is pixel-perfect because the scammers scraped the real sites and rebuilt them on throwaway domains. You’re asked to confirm your address. Then verify your account. Then pay a “redelivery fee” of $4.99.
That’s the tell. Real carriers don’t charge redelivery fees via text message links. They bill your account or collect at delivery. But the fee is small enough to seem reasonable, and you’re already this far in, and you just want your package.
So you enter your credit card number.
What you don’t see: the card details immediately get sold to buyers on the darknet. Within hours, micro-transactions start hitting your account. $12 here, $38 there — small enough that most people don’t notice for weeks. Some victims reported hundreds of fraudulent charges spread across two months before they caught the pattern.
And if the fake site asked for your email and password? Those credentials are worth more than the card. Scammers use them to access your real Amazon account, reset passwords on linked services, and take over everything from your email to your social media. It’s not just about the package anymore.
The Malware Path
Some of these fake delivery sites don’t ask for information at all. They just install malware.
You tap the link. The site redirects you to download “a delivery tracking app.” That app is a Remote Access Trojan. It runs silently in the background of your phone, capturing every password you type, every two-factor authentication code you receive, every banking login.
The FBI’s Internet Crime Complaint Center noted in 2024 that over 40% of people who clicked on fake delivery links experienced identity theft within 90 days. Not all of them paid a fake fee. Many just visited the site. The malware did the rest.
That’s the thing about smartphone-targeted scams: you don’t get the visual cues you’d get on a desktop. No browser warning. No address bar you can easily inspect. Just a tap, a redirect, and software designed to empty your accounts over the next three months.
The E-ZPass Variation
Darcula didn’t stop at fake packages. In early 2025, they sent millions of texts impersonating E-ZPass toll agencies across eight states. The message claimed you owed unpaid toll fees and directed you to a site that looked identical to nyc.gov.
People paid. Of course they did — nobody wants a suspended license or escalating fines. The fake fees ranged from $5 to $50. Multiply that by a million victims and you start to understand how a phishing-as-service operation generates nine-figure revenue.
The tool they used to build these fake sites? It’s called Lighthouse. You can buy it for under $500. Pricing tiers start at $50, drop to $30, then $20 for bulk buyers. Cybercrime-as-a-service isn’t some shadowy underworld anymore. It’s a SaaS business model with customer support and feature updates.
Google’s lawsuit against the operation identified infrastructure across dozens of countries, thousands of domains, and a rotation system that made takedowns nearly impossible. Shut down one fake site and three more appear within hours. The FTC flagged fake package delivery as the top text scam category in their April 2025 Data Spotlight report.
And yet most people don’t know it’s happening until it’s already happened to them.
Why It Works
You’re not stupid for tapping a delivery notification. The scam succeeds because it weaponizes legitimate infrastructure. Real carriers send texts. Real packages get delayed. Real websites ask you to confirm addresses.
The psychological hook is timing. You probably do have something on the way, even if you can’t remember exactly what. And if you don’t? Your spouse does. Your kid does. Your roommate does. The text doesn’t need to be precise — it just needs to be possible.
The second advantage: urgency. “Delivery attempt failed” implies you need to act now or the package goes back. Nobody wants to reschedule or pay return fees or wait another week. So you tap before you think.
And the third advantage, the one that makes mobile-targeted scams particularly effective: verification is harder on a phone. Hovering over a link to inspect the URL doesn’t work on a touchscreen. The address bar is tiny. You’re probably doing three other things. The friction between suspicion and confirmation is just high enough that most people skip the check.
The FTC estimates that 25-30% of people who receive fake delivery texts click the link. Compare that to the 5% average response rate for other phishing attempts. That’s not a small gap. That’s a systematically optimized attack.
What You Actually Do
I won’t tell you to “never click links in texts” because that’s not how people operate. You will click. I will click. The question is what happens between the click and the data entry.
Before you type anything — address, email, password, card number — look at the URL. Actually look. Not glance. Type the official company domain into a separate browser tab and compare. If you’re on “fedex-delivery.site” instead of “fedex.com,” close the page.
If the site asks for information the carrier already has, stop. They know your address. They know your tracking number. They don’t need you to “verify your account” via a text message link.
And if you’re asked to pay a fee you didn’t expect, call the carrier directly using the number on their official website. Not the number in the text. The number you look up yourself.
The FTC’s reporting page is ReportFraud.ftc.gov. File it there. It won’t get your money back, but it builds the case file that eventually leads to takedowns like the one Google filed against Darcula.
You can’t stop the texts from arriving. But you can stop the ten seconds between the tap and the data entry. That’s the gap that matters. That’s where the billion-dollar scam falls apart.
🛡️ Think You've Been Scammed?
- 📋 FTC: ReportFraud.ftc.gov | 1-877-382-4357
- 🌐 FBI IC3: ic3.gov (internet crimes)
- 👴 National Elder Fraud Hotline: 1-833-FRAUD-11 (1-833-372-8311)
- 📵 Do Not Call Registry: donotcall.gov | 1-888-382-1222
About Nolan Bridger
Nolan Bridger is a former blue collar worker from a small mountain town on the West Coast of the United States.
