Sunday, May 25, 2025
HomeCyber AttackHackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals

Hackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals

Published on

SIEM as a Service

Follow Us on Google News

In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field Communication (NFC) technology to perpetrate large-scale fraud at ATMs and Point-of-Sale (POS) terminals.

According to cyber threat intelligence analysts at Resecurity, numerous banks, FinTech companies, and credit unions have reported a surge in NFC-related fraud in Q1 2025, with damages exceeding millions of dollars for a top Fortune 100 financial institution in the United States.

These attackers demonstrate remarkable adaptability, crafting sophisticated tools to manipulate NFC systems for unauthorized transactions, targeting regions including the U.S., UK, EU, Australia, Canada, Japan, and the UAE.

- Advertisement - Google News

The global nature of their operations, often backed by organized crime syndicates with suspected state tolerance in China, poses significant challenges to detection and mitigation due to geopolitical and technical barriers.

Sophisticated Tools and Techniques Unveiled

The mechanics of NFC fraud involve exploiting Host Card Emulation (HCE), a technology that allows Android devices to mimic ISO 14443 NFC smart cards via services like HostApduService, enabling communication with payment terminals through Application Protocol Data Unit (APDU) commands.

Tools like “Z-NFC” and “Track2NFC,” often sold on the Dark Web and Telegram channels, facilitate this by emulating card data or relaying stolen payment information from victims’ mobile wallets, such as Google Pay or Apple Pay, to perpetrators’ devices at ATMs or POS terminals.

Techniques like “Ghost Tap” allow fraudsters to execute transactions without triggering merchant payment processors, while apps like “HCE Bridge” simulate various contactless payment kernels for malicious use.

Resecurity’s reverse engineering of Z-NFC revealed a heavily obfuscated Android APK (package name: com.hk.nfc.paypay) that uses native libraries and runtime decryption to evade static analysis, underscoring the technical sophistication of these attacks.

Additionally, cybercriminals operate “farms” of mobile devices to automate fraud at scale, targeting institutions like Barclays, HSBC, and Santander, and even exploiting loyalty points programs for unauthorized redemptions.

Further amplifying the threat, NFC-enabled POS terminals are abused or illicitly registered via money mules, enabling fraud and money laundering across countries like China, Malaysia, and Nigeria.

Attackers also leverage stolen Track 2 data from ATM skimmers, recorded onto blank cards, to conduct transactions at compromised terminals, often bypassing Cardholder Verification Methods (CVM) for low-value contactless payments.

The rapid adoption of NFC technology, with 1.9 billion enabled devices worldwide, combined with the anonymity of encrypted communication and e-SIM contracts, makes these operations elusive.

As NFC continues to underpin contactless payments and identity verification globally, the urgent need for robust security protocols, advanced fraud detection, and international cooperation becomes evident to curb this escalating cyber threat.

Indicators of Compromise (IOC)

IndicatorDescription
Package Namecom.hk.nfc.paypay
App NameOften disguised as utility/NFC tool
Native Librarieslibjiagu.so, libjgdtc.so
Path/data/data/<pkg>/.jiagu/libjiagu_64.so
Classcom.stub.StubApp
Suspicious String“entryRunApplication” – real app class
PermissionsNFC, Camera, Internet, Storage access
URLhttps://znfcqwe.top

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...