Ghost-Tapping – The Hidden Threat Targeting Apple Pay and Google Pay Users

“Ghost-tapping” is rapidly becoming a favored technique among Chinese-speaking threat actors, harnessing Near Field Communication (NFC) relay attacks to exploit vulnerabilities in mobile payment services, most notably Apple Pay and Google Pay.

This method enables criminal syndicates to use stolen card details linked to contactless wallets, facilitating in-person purchases of high-value goods through mules and laundering proceeds via global Telegram-based marketplaces.

The core mechanism involves cybercriminals extracting payment card credentials through phishing campaigns and sophisticated malware. Once obtained, credentials are loaded onto mobile wallets on burner phones, often using automated software capable of relaying NFC signals.

Notably, tools like NFCGate and proprietary platforms (e.g., “SuperCard X”) allow attackers to transmit tokenized card data in real time to devices controlled by their syndicates.

With these capabilities, mules recruited by these groups can execute tap-to-pay transactions at retail stores, frequently escaping detection due to gaps in Know-Your-Customer (KYC) protocols and the use of fake identity documents.

Criminal Ecosystem and Technical Operations

The ghost-tapping ecosystem is highly structured, comprising several specialized roles:

• Cybercriminals develop or deploy software that automates adding compromised cards to mobile wallets and enables real-time NFC data relay between devices.
• Syndicates organize international operations, recruiting mules through Telegram channels such as Huione Guarantee, Xinbi Guarantee, and Tudou Guarantee, even as these platforms periodically shut down, cybercriminals swiftly pivot to alternatives.
• Mules are tasked with purchasing luxury goods or withdrawing cash at ATMs using burner phones loaded with stolen payment data. Subsequently, transportation and reseller mules move and liquidate those goods via online or Telegram-based marketplaces, converting illicit proceeds into cryptocurrency or fiat cash.

Case studies, such as those reported by Singaporean authorities, illustrate ghost-tapping’s global reach. Between October and December 2024, over 650 incidents resulted in at least SGD 1.2 million in losses, with the majority involving compromised cards linked to Apple Pay.

Common targets include mobile phones, jewelry, and gold, purchased by foreign nationals who enter countries pretending to be tourists.

Mitigation and Outlook

Financial institutions and payment providers are advised to strengthen link authentication measures, limit SMS-based OTP reliance, and incorporate risk analysis for device provisioning attempts.

Machine learning models that flag relayed payments and suspect device behaviors can help stem this threat. For consumers, awareness and prompt reporting of unauthorized activity are vital safeguards.

Experts now warn that ghost-tapping is poised to expand globally, with criminal tooling and infrastructure evolving to target new regions and payment ecosystems.

The challenge for law enforcement and the financial industry is to keep pace with increasingly automated and decentralized fraud operations, where agile, tech-savvy threat actors persistently circumvent traditional controls.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Ghost-Tapping – The Hidden Threat Targeting Apple Pay and Google Pay Users appeared first on Cyber Security News.