Chinese-speaking cybercriminals are using ghost-tapping techniques to take advantage of Near Field Communication (NFC) relay tactics in a sophisticated evolution of payment card fraud. They are mainly targeting mobile payment services such as Apple Pay and Google Pay.
This attack vector involves relaying stolen payment card credentials from compromised devices to mules’ burner phones, enabling unauthorized contactless transactions for retail fraud.
According to analysis from Insikt Group, threat actors such as @webu8 on Telegram are automating the provisioning of victim cards into digital wallets, bypassing security measures like one-time passwords (OTPs) through phishing and malware.
These operations, often orchestrated from bases in Southeast Asia including Cambodia and China, facilitate global campaigns by supplying syndicates with pre-loaded burner devices and proprietary relay software.
NFC Relay Fraud Ecosystem
The technique relies on open-source tools like NFCGate for capturing and modifying NFC traffic, allowing real-time emulation of tokenized card data at point-of-sale (POS) terminals or ATMs.
This has led to significant financial losses, with Singapore reporting over 656 cases between October and December 2024, amounting to at least $1.2 million SGD in unauthorized transactions, predominantly involving Apple Pay-linked cards.
Syndicates, well-established criminal networks with roots in scamming activities since 2020, integrate ghost-tapping into their money-laundering pipelines by recruiting specialized mules via Telegram marketplaces like Huione Guarantee, Xinbi Guarantee, and Tudou Guarantee.
Despite Huione Guarantee’s announced shutdown in May 2025, its decentralized Telegram infrastructure persists, enabling the pivot to alternatives for escrow-based dealings in USDT.
Cybercriminals procure stolen credentials through phishing campaigns that intercept OTPs and bank login details, then load them onto iOS or Android devices.
Proprietary software, akin to the SuperCard X malware-as-a-service (MaaS) platform, relays NFC signals containing Answer To Reset (ATR) messages to emulate legitimate cards, deceiving terminals without physical proximity.
Mules, posing as tourists, execute in-person purchases of high-value goods such as jewelry, gold, and electronics in regions like Singapore, Malaysia, Thailand, and the Philippines.
%20offering%20to%20buy%20gold.webp "New Ghost-Tapping Attacks Target Apple Pay and Google Pay Users’ Linked Cards 2")
These items are subsequently transported across borders and resold on the same platforms or e-commerce sites like eBay and Carousell, converting illicit gains into clean fiat currency.
Global Implications for Cybersecurity
The ghost-tapping ecosystem delineates clear roles: cybercriminals handle credential theft and relay tool development, while syndicates manage mule recruitment for ghost-tapping, transportation, reselling, and laundering.
Engagements reveal business models where burner phones, priced at around 90 USDT each with additional fees per linked card, are sold in bulk, often with recycling services to reload credentials.
According to the report, Automation scripts attempt card additions at intervals, exploiting banks’ mobile wallet toggles if login details are compromised.
This fraud’s stealth stems from lax Know-Your-Customer (KYC) at retail outlets and the use of fake identities, making detection challenging for financial institutions.
To counter these threats, banks should enforce device risk analysis, flag anomalous transaction patterns like rapid geographic shifts, and shift from SMS OTPs to push provisioning or app-based verifications.
Consumers must monitor notifications, avoid sharing OTPs, and use official channels for banking inquiries. Law enforcement collaboration with payment networks is crucial to disrupt phishing infrastructure and track NFC relay tools.
As ghost-tapping expands globally, impacting retail, banking, and insurance sectors, proactive measures are essential to mitigate this hybrid cyber-physical fraud, which Recorded Future assesses could proliferate among non-Chinese syndicates via customized MaaS offerings.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
