Cybercriminals leverage NFC fraud against ATMs and POS terminals, stealing money from consumers at scale.
Resecurity (USA) investigated multiple incidents identified in Q1 2025, exceeding several million dollars in damages for one of the top Fortune 100 financial institutions in the United States due to NFC fraud. Stopping cybercriminals operating from China presents significant challenges due to geopolitical, technical, and organizational factors.
Cybersecurity experts identified multiple Chinese cybercriminal groups targeting Google and Apple Wallet customers. Their TTPs center on the abuse of contactless payments and the misuse of the NFC technology to conduct fraud. The analysts from Resecurity’s HUNTER unit identified a group on Telegram offering the Z-NFC tool for sale to facilitate fraudulent transactions. Another tool, called King NFC, was previously marketed on the Dark Web as an alternative.
Primarily, the actors use Android-based phones, with numerous cards “loaded” into mobile wallets for further fraud. In one such instance, cybercriminals specifically focused on fraud automation against Barclays, Bank of Scotland, Lloyds Banking Group, Halifax, HSBC, Santander, Wise and Revolut.
How do those apps work? They all use Host Card Emulation (HCE) to mimic a physical ISO 14443 NFC smart card by registering a service that extends HostApduService. This allows the app to respond to APDU command sequences like a card. APDU (Application Protocol Data Unit) commands are the standardized communication units used between a smart card reader and a smart card. Cybercriminals exploit the same approach by manipulating HCE for malicious purposes to process compromised credit card data via NFC.
Why is NFC-enabled fraud still possible? Traditional payments typically require some Cardholder Verification Method (CVM) such as PIN or signature. For low-value contactless payments below the “Contactless CVM limit,” no CVM is required – the consumer can simply Tap & Go. Unfortunately, cybercriminals actively exploit this issue by executing multiple small transactions while leveraging a high volume of compromised cards.
Besides traditional POS terminals, according to Resecurity, cybercriminals also abuse tap on phone software solutions (called Soft POS) that turns NFC-enabled Android smartphones, tablets and other handheld devices into payment terminals.
Today, it is estimated that 1.9 billion phones worldwide are NFC-enabled, showcasing its rapid adoption.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, dark web)
