Ghost Tap: NFC Fraud Surge Linked to Chinese Cybercriminal Groups

Resecurity has uncovered a massive, evolving wave of fraud involving Near Field Communication (NFC) technology, exposing a growing threat driven by Chinese cybercriminal groups. With millions in damages reported by financial institutions, including a Fortune 100 bank in the U.S., this emerging threat is no longer fringe—it’s becoming a global crisis.

“Numerous banks, FinTechs, and credit unions have reported increased NFC-related fraud and highlighted significant challenges in early detection,” notes Resecurity.

NFC enables contactless payments, which surged during the COVID-19 pandemic. Today, more than 1.9 billion smartphones are NFC-enabled, making tap-and-go transactions seamless. But what was built for convenience has turned into a weapon for cybercriminals, who are using custom tools to emulate NFC cards and relay stolen data.

One standout technique is the “Ghost Tap”, where bad actors relay stolen credit card data through an NFC-enabled device to make unauthorized purchases at POS terminals:

“The ‘Ghost Tap’ technique enables cybercriminals to cash out money from stolen credit cards linked to mobile payment services… without triggering traditional fraud detection.”

Tools like Track2NFC and Z-NFC have emerged as key players in these attacks. Track2NFC allows attackers to store stolen magnetic stripe data on phones and initiate NFC-based payments. Meanwhile, Z-NFC—a heavily obfuscated Android malware—emulates NFC smart cards using Host Card Emulation (HCE) to hijack APDU commands.

“The Z-NFC Card Emulator… enables unauthorized access to contactless systems, including payment terminals and credit card infrastructure,” Resecurity reveals.

Reverse engineering shows Z-NFC utilizes encrypted native libraries (libjiagu.so, libjgdtc.so) and dynamic runtime injection to avoid static detection, functioning as both malware loader and NFC emulation engine.

Cybercriminals now sell NFC-enabled POS terminals on the Dark Web, many registered by money mules. They’re even offering e-SIMs, NFC readers, and “white plastic” cards to clone and use stolen payment data.

Loyalty programs are also under fire. Resecurity found fraudsters using tools like X-NFC to exploit airline miles, hotel points, and gas rewards, with Telegram channels offering video tutorials and support.

“X-NFC customers are widely using this approach to defraud consumers of airlines, hotels, gas (petro) loyalty programs and steal their points.”

Chinese cybercriminals focus on high-value economies—U.S., UK, Australia, Saudi Arabia, and more—exploiting weak CVM (Cardholder Verification Method) thresholds and security flaws in mobile wallet apps. Many of these groups appear to operate from within China and collaborate via closed Chinese-language Telegram groups, where some channels exceed 5,900 active members.

“Chinese cybercriminals have become highly active in defrauding consumers worldwide by exploiting NFC technology and leveraging specialized tools…”

Beyond financial theft, the ability to emulate NFC ID systems creates alarming risks for access control, identity theft, and even infrastructure sabotage. NFC spoofing can compromise government buildings, healthcare networks, or enterprise systems, making it a national security issue.

“Without decisive action, these cybercriminals will continue to exploit NFC technology, posing a serious risk to consumers and businesses worldwide,” the report concludes.

Related Posts:

• Apple Breaks the Mold: iPhone NFC Opens to Third-Party Payments
• “Ghost Tap” Emerges: Cybercriminals Exploit NFC Relay for Contactless Cash-Outs
• Ghost Plugin Plagues Over a Million Terminals, Hijacking Search Results and User Data