Apple Pay and Google Pay in the Crosshairs of Latest Ghost-Tapping Scams

Ghost-tapping is an emerging NFC relay fraud technique being weaponized by Chinese-speaking cybercriminals and syndicates. It exploits compromised payment card credentials loaded onto burner phones connected to Apple Pay/Google Pay wallets. Using proprietary relay software and criminal marketplaces like Huione Guarantee, Xinbi Guarantee, and Tudou Guarantee, syndicates deploy mules to conduct in-person purchases of luxury goods and launder profits via crypto. The fraud model combines cyber-enabled theft with physical retail operations, making it difficult to detect and disrupt.

Severity Level: High

Attack Details

1. Initial Access:
   • Phishing campaigns & mobile malware to steal card data and OTPs.
   • Exploitation of SIM swaps and breached telecom databases.
2. Exploitation:
   • Loading stolen card details into mobile wallets (Apple Pay/Google Pay).
   • Automating attempts to bypass bank controls (e.g., DBS Bank case).
3. Execution:
   • NFC relay fraud using NFCGate or proprietary tools (e.g., SuperCard X).
   • In-person purchases of luxury goods, gold, jewelry, and electronics.
   • Contactless ATM withdrawals via mule crews.
4. Monetization:
   • Resale on Telegram marketplaces and legitimate platforms (Carousell, eBay, Mercari).
   • Laundering proceeds into USDT and fiat via money mules.

Key Infrastructure

Telegram Platforms:

• Huione Guarantee (shut down May 2025) – still active via decentralized groups.
• Xinbi Guarantee – escrow-based USDT marketplace.
• Tudou Guarantee – alternative platform for syndicate recruitment.

Relay Tools:

• NFCGate (open-source relay app).
• Proprietary relay software (linked to @webu8, possibly tied to SuperCard X).

Impact

• Financial: Direct fraud losses from unauthorized transactions; luxury goods quickly liquidated for crypto/cash.
• Industries Affected: Retail, banking, fintech, contactless payment providers, insurance.
• Geography: Primarily Southeast Asia (Singapore hotspots), but scalable worldwide.
• Scale: Hundreds of cases — e.g., 656 compromised cards in Singapore (Oct–Dec 2024) causing ~$930K USD in losses.

Notable Threat Actor Examples

• @webu8: Developer selling burner phones + relay software.
• @xingma888: Mule handler (“Singapore & Malaysia Group”), funds logistics, manages cash-outs.
• 黑猫 (@llan19889): Recruiter for ATM withdrawal & ghost-tapping mules.
• 路飞 (@OPLuffy888): Advertises cross-border transportation of stolen goods.

Assessment

Ghost-tapping is evolving into a global threat vector, blending cybercrime with physical retail fraud. It is scalable, difficult to detect, and increasingly professionalized. The combination of automation, decentralized marketplaces, and crypto-based laundering gives syndicates operational resilience.

Recommendations

For banks/payment providers:

• Enforce stronger KYC for digital wallet linking.
• Replace SMS/email OTPs with push-based authentication.
• Enforce stricter authentication when a card is being added from an unrecognized device or location.
• Flag transactions where the same payment card is used in geographically distant locations within an unrealistic timeframe.
• Analyze patterns where multiple cards are linked to the same device, particularly following known phishing incidents.
• Allow customers to verify high-risk transactions or digital wallet provisioning attempts via their banking app before finalizing them.

For consumers:

• Report and block compromised cards as soon as you receive notifications of unauthorized use.
• Avoid third-party apps and phishing links.
• Do not share OTPs or PINs.
• Be wary of scammers impersonating bank personnel and contact the bank through their official banking hotline to obtain and clarify information regarding banking matters

Source:

• https://www.recordedfuture.com/research/ghost-tapping-chinese-criminal-ecosystem

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.