In a troubling development, cybercriminals with ties to underground networks in China are leveraging Near Field Communication (NFC) technology to carry out widespread fraudulent activities at ATMs and Point-of-Sale (POS) terminals. Reports from various financial institutions, including banks, FinTech companies, and credit unions, have indicated a surge in NFC-related fraud in the first quarter of 2025, resulting in financial losses exceeding millions of dollars for a prominent Fortune 100 financial entity in the United States.
These criminals have demonstrated a high level of adaptability by creating sophisticated tools to exploit NFC systems for unauthorized transactions across multiple countries such as the U.S., UK, EU, Australia, Canada, Japan, and the UAE. The global reach of these cyber operations, often supported by organized crime groups with potential state backing in China, presents significant challenges for detection and mitigation due to geopolitical and technical complexities.
The mechanics of NFC fraud involve the manipulation of Host Card Emulation (HCE), an Android technology that enables devices to imitate NFC smart cards to interact with payment terminals using Application Protocol Data Unit (APDU) commands. Tools like “Z-NFC” and “Track2NFC,” available on the Dark Web and through Telegram channels, enable cybercriminals to replicate card data or transmit stolen payment details from victims’ mobile wallets like Google Pay or Apple Pay to conduct fraudulent transactions at ATMs and POS terminals. Tactics such as “Ghost Tap” allow fraudsters to make transactions without alerting merchant payment processors, while apps like “HCE Bridge” simulate contactless payment options for malicious purposes.
Investigations by Resecurity into the Z-NFC tool have revealed a heavily encrypted Android APK that employs native libraries and runtime decryption to evade traditional analysis methods, highlighting the sophistication of these attacks. Furthermore, cybercriminals utilize fleets of mobile devices to automate fraudulent activities on a large scale, targeting major financial institutions and even exploiting loyalty points programs for unauthorized redemptions.
In addition to these tactics, cybercriminals exploit NFC-enabled POS terminals through illegitimate registrations and money mules to facilitate money laundering operations across different countries. By utilizing stolen Track 2 data from ATM skimmers, these criminals are able to conduct transactions at compromised terminals, often circumventing Cardholder Verification Methods (CVM) for low-value contactless payments. The widespread adoption of NFC technology and the secure nature of encrypted communication and e-SIM contracts make it challenging to trace and intercept these illicit operations.
Given the increasing reliance on NFC technology for contactless payments and identity verification worldwide, the necessity for robust security measures, advanced fraud detection systems, and international collaboration is more critical than ever to combat the escalating cyber threat.
In conclusion, the utilization of NFC technology by cybercriminals to orchestrate large-scale fraud presents a complex challenge for the financial industry and law enforcement agencies around the world. As these criminals continue to innovate and adapt their methods, a coordinated and proactive approach is required to safeguard the integrity of financial systems and protect consumers from fraudulent activities.