Serbian drivers are being hit with a wave of fake "unpaid traffic fine" text messages that funnel them to counterfeit government payment pages built to steal their card details. Researchers at Group-IB have been tracking the smishing campaign, which impersonates Putevi Srbije, Serbia's state road authority, and say the infrastructure behind it points to two well known Phishing-as-a-Service (PhaaS) platforms, Darcula and Phoenix.
The lure is simple and effective. A victim receives an SMS claiming they owe a traffic fine and that the amount will rise if they do not pay quickly. The link looks official, and the urgent tone does the rest. Tap it and you land on a cloned portal that copies the real road authority's logos, colors and layout, complete with fake case reference numbers and timestamps to make the "violation" look already on record. Enter a card number, expiry and CVV to "pay the fine," and the details go straight to the attackers, who can spend them, resell them, or hold them for later scams.
Why this one stands out
Group-IB's analysts found that a single operation carries fingerprints of both Darcula and Phoenix, two distinct PhaaS kits. Darcula is a Chinese-language platform first seen in 2023 that ships more than 200 phishing templates and has been used against postal services, airlines, banks and government bodies worldwide. Phoenix runs from a centralized panel that lets operators manage many campaigns across countries at once. Seeing both inside one campaign is a reminder that defenders should not assume one operation means one toolkit; criminals now mix and match kits the way legitimate teams mix software. IntelFusions previously covered another Group-IB smishing operation that hid its phishing pages behind fake Cloudflare error screens.
How the pages dodge detection
The fake sites lean heavily on evasion. Instead of placing the scam text directly in the HTML, the pages store it in encoded form inside custom elements and decode it in the browser only after the page loads or when a section scrolls into view, with a background timer scanning for freshly injected content every couple of seconds. The effect is that automated security scanners and takedown crawlers, which read the raw page source, see almost none of the tell-tale scam keywords, while a real victim sees a fully rendered payment form. Group-IB describes an operation optimized for speed, low cost and evasion: disposable domains, fast infrastructure rotation, and proxy services to hide the origin.
What you should do
Never pay a "fine" from a link in a text message. Government agencies do not collect urgent payments through unsolicited SMS links. If you think a fine might be real, type the official Serbian government address into your browser yourself and verify through official channels. Treat urgency as a red flag, and watch for odd top-level domains: the campaign's fraudulent sites used uncommon TLDs such as [.]top, [.]icu, [.]cc and [.]homes. If you have already entered card data on a suspicious page, call your bank right away to dispute charges and request a new card.
Indicators
A sample of the defanged phishing domains reported by Group-IB: putevi-srbije[.]help, putevs[.]cc, puteva[.]cc, putevi-srbije[.]icu, putevis-srbbije[.]top and putevi-srbijeba[.]homes. All impersonate the Serbian road authority's branding. You can read the original Group-IB research for the full technical breakdown and indicator list.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.