Philippines Hit by Surge in Chinese Cybercrime: NFC & Smishing Attacks Steal Millions from Mobile Wallets
Ddos 
Image: Resecurity
As digital wallets and contactless payments revolutionize commerce in the Philippines, they’ve also opened a dangerous new front in cybercrime. A recent report by Resecurity, a global leader in cyber threat intelligence, reveals that Chinese cybercriminals are intensifying attacks on the Philippine financial ecosystem, exploiting Near Field Communication (NFC) technology and smishing campaigns on an unprecedented scale.
“The Philippines has become one of the top regions affected by Chinese cybercriminals,” Resecurity warned, citing underground marketplaces that list the country among those with the highest volume of compromised credit cards.
Driven by the explosive growth of mobile wallets like GCash, Maya, and GoTyme, NFC-enabled payments are now ubiquitous across the country. But with this convenience comes new risk. According to Resecurity, attackers are now using tools like Z-NFC, Track2NFC, and SuperCard X to simulate legitimate tap-to-pay transactions using stolen card data.
“The resulting fraud is difficult to detect, as the transactions appear to originate from trusted, authenticated devices,” the report states. “Such terminals can facilitate between $25,000 and $80,000 USD per day in fraudulent payments.”
Resecurity’s analysts observed a 230% year-over-year increase in Chinese-speaking dark web activity targeting the Philippines. The same tools and tactics once seen primarily in Europe and North America are now being adapted for Southeast Asia.
“The increase in cybercrime activity is proportional to malicious efforts by China targeting the Philippines and the Indo-Pacific region,” Resecurity noted.
Fraudsters are deploying Telegram bots and underground credit card shops with massive volumes of compromised Filipino-issued cards. Some bots offer interactive navigation of stolen card data by country and bank, exposing thousands of victims.
“Chinese cybercriminals are exploiting these aspects and moving cybercrime-related communications to Telegram, which seems to be a ‘safe option’ for their OPSEC while physically residing in China.”
Resecurity flagged a new smishing kit dubbed “Panda Shop”, a nod to China’s symbolic soft power icon, but with very different intentions. Like its predecessor, the Smishing Triad, Panda Shop automates phishing via SMS to harvest payment credentials—then monetizes them through carding networks and fake POS terminals.
“It doesn’t seem to bring anything good besides financial losses to consumers,” Resecurity noted.
In one example, a single underground shop managed by Chinese actors had over 7,741 compromised cards available. Others boasted 5,869 payment items, offering them at prices ranging from a few cents to a couple of dollars per card—cheap, yet devastating in aggregate.
The report reveals how NFC-enabled point-of-sale terminals, sometimes sold with pre-installed malicious software and eSIMs, are used to simulate fraudulent retail transactions.
“It is common for such POS terminals to be deployed in restaurant chains,” the report warns, noting that insiders may be recruited to share commissions from illegally processed funds.
These devices blend seamlessly into real financial flows, making detection extremely difficult. The fraud infrastructure even spans the TOR network, the surface web, and Telegram.
Disturbingly, Resecurity found that Chinese cybercriminals are partnering with local organized crime in the Philippines. These partnerships help them recruit money mules, open fraudulent e-wallet accounts, and build sophisticated money laundering chains.
To combat the growing threat, Resecurity urges financial institutions and regulators to:
- Harden POS onboarding and geolocation verification
- Deploy behavioral analytics for low-value NFC transactions
- Strengthen dark web monitoring for cloned cards and fraud tools
- Collaborate with BSP, CICC, and local banks on threat intelligence
- Educate consumers about device pairing risks and NFC wallet security
Related Posts:
- Philippines SEC will issue laws and regulations on cryptocurrency transactions
- Misinformation Campaigns Surge in the Philippines Amidst Geopolitical Tensions
- Philippine Central Bank Warns Local Financial Institutions of “Hacker Attack on Malaysian Central Bank SWIFT System”
- Apple Breaks the Mold: iPhone NFC Opens to Third-Party Payments
- “Admin123” Passwords: Exposing Millions of Filipinos to Cyber Threats
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
