Ghost-tapping is an emerging NFC relay fraud technique being weaponized by Chinese-speaking cybercriminals and syndicates. It exploits compromised payment card credentials loaded onto burner phones connected to Apple Pay/Google Pay wallets. Using proprietary relay software and criminal marketplaces like Huione Guarantee, Xinbi Guarantee, and Tudou Guarantee, syndicates deploy mules to conduct in-person purchases of luxury goods and launder profits via crypto. The fraud model combines cyber-enabled theft with physical retail operations, making it difficult to detect and disrupt.
Severity Level: High
Attack Details
- Initial Access:
- Phishing campaigns & mobile malware to steal card data and OTPs.
- Exploitation of SIM swaps and breached telecom databases.
- Exploitation:
- Loading stolen card details into mobile wallets (Apple Pay/Google Pay).
- Automating attempts to bypass bank controls (e.g., DBS Bank case).
- Execution:
- NFC relay fraud using NFCGate or proprietary tools (e.g., SuperCard X).
- In-person purchases of luxury goods, gold, jewelry, and electronics.
- Contactless ATM withdrawals via mule crews.
- Monetization:
- Resale on Telegram marketplaces and legitimate platforms (Carousell, eBay, Mercari).
- Laundering proceeds into USDT and fiat via money mules.
Key Infrastructure
Telegram Platforms:
- Huione Guarantee (shut down May 2025) – still active via decentralized groups.
- Xinbi Guarantee – escrow-based USDT marketplace.
- Tudou Guarantee – alternative platform for syndicate recruitment.
Relay Tools:
- NFCGate (open-source relay app).
- Proprietary relay software (linked to @webu8, possibly tied to SuperCard X).
Impact
- Financial: Direct fraud losses from unauthorized transactions; luxury goods quickly liquidated for crypto/cash.
- Industries Affected: Retail, banking, fintech, contactless payment providers, insurance.
- Geography: Primarily Southeast Asia (Singapore hotspots), but scalable worldwide.
- Scale: Hundreds of cases — e.g., 656 compromised cards in Singapore (Oct–Dec 2024) causing ~$930K USD in losses.
Notable Threat Actor Examples
- @webu8: Developer selling burner phones + relay software.
- @xingma888: Mule handler (“Singapore & Malaysia Group”), funds logistics, manages cash-outs.
- 黑猫 (@llan19889): Recruiter for ATM withdrawal & ghost-tapping mules.
- 路飞 (@OPLuffy888): Advertises cross-border transportation of stolen goods.
Assessment
Ghost-tapping is evolving into a global threat vector, blending cybercrime with physical retail fraud. It is scalable, difficult to detect, and increasingly professionalized. The combination of automation, decentralized marketplaces, and crypto-based laundering gives syndicates operational resilience.
Recommendations
For banks/payment providers:
- Enforce stronger KYC for digital wallet linking.
- Replace SMS/email OTPs with push-based authentication.
- Enforce stricter authentication when a card is being added from an unrecognized device or location.
- Flag transactions where the same payment card is used in geographically distant locations within an unrealistic timeframe.
- Analyze patterns where multiple cards are linked to the same device, particularly following known phishing incidents.
- Allow customers to verify high-risk transactions or digital wallet provisioning attempts via their banking app before finalizing them.
For consumers:
- Report and block compromised cards as soon as you receive notifications of unauthorized use.
- Avoid third-party apps and phishing links.
- Do not share OTPs or PINs.
- Be wary of scammers impersonating bank personnel and contact the bank through their official banking hotline to obtain and clarify information regarding banking matters
Source:
- https://www.recordedfuture.com/research/ghost-tapping-chinese-criminal-ecosystem
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.