UNC5814 operates the Darcula PhaaS platform, which intercepts one-time passcodes in real time using Puppeteer-based AiTM session relay delivered over Apple iMessage and RCS — channels that bypass carrier-level SMS filtering and email security entirely. The campaign has evolved beyond credential theft to digital wallet tokenization, converting stolen payment card data into Apple Pay or Google Pay tokens without exposing raw card numbers, defeating traditional fraud controls. Financial services, payment processors, and any organization relying on SMS or TOTP MFA for customer-facing applications are primary targets.