Cyber Security News

Hackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals

In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field Communication (NFC) technology to perpetrate large-scale fraud at ATMs and Point-of-Sale (POS) terminals.

According to cyber threat intelligence analysts at Resecurity, numerous banks, FinTech companies, and credit unions have reported a surge in NFC-related fraud in Q1 2025, with damages exceeding millions of dollars for a top Fortune 100 financial institution in the United States.

These attackers demonstrate remarkable adaptability, crafting sophisticated tools to manipulate NFC systems for unauthorized transactions, targeting regions including the U.S., UK, EU, Australia, Canada, Japan, and the UAE.

The global nature of their operations, often backed by organized crime syndicates with suspected state tolerance in China, poses significant challenges to detection and mitigation due to geopolitical and technical barriers.

Sophisticated Tools and Techniques Unveiled

The mechanics of NFC fraud involve exploiting Host Card Emulation (HCE), a technology that allows Android devices to mimic ISO 14443 NFC smart cards via services like HostApduService, enabling communication with payment terminals through Application Protocol Data Unit (APDU) commands.

Tools like “Z-NFC” and “Track2NFC,” often sold on the Dark Web and Telegram channels, facilitate this by emulating card data or relaying stolen payment information from victims’ mobile wallets, such as Google Pay or Apple Pay, to perpetrators’ devices at ATMs or POS terminals.

Techniques like “Ghost Tap” allow fraudsters to execute transactions without triggering merchant payment processors, while apps like “HCE Bridge” simulate various contactless payment kernels for malicious use.

Resecurity’s reverse engineering of Z-NFC revealed a heavily obfuscated Android APK (package name: com.hk.nfc.paypay) that uses native libraries and runtime decryption to evade static analysis, underscoring the technical sophistication of these attacks.

Additionally, cybercriminals operate “farms” of mobile devices to automate fraud at scale, targeting institutions like Barclays, HSBC, and Santander, and even exploiting loyalty points programs for unauthorized redemptions.

Further amplifying the threat, NFC-enabled POS terminals are abused or illicitly registered via money mules, enabling fraud and money laundering across countries like China, Malaysia, and Nigeria.

Attackers also leverage stolen Track 2 data from ATM skimmers, recorded onto blank cards, to conduct transactions at compromised terminals, often bypassing Cardholder Verification Methods (CVM) for low-value contactless payments.

The rapid adoption of NFC technology, with 1.9 billion enabled devices worldwide, combined with the anonymity of encrypted communication and e-SIM contracts, makes these operations elusive.

As NFC continues to underpin contactless payments and identity verification globally, the urgent need for robust security protocols, advanced fraud detection, and international cooperation becomes evident to curb this escalating cyber threat.

Indicators of Compromise (IOC)

IndicatorDescription
Package Namecom.hk.nfc.paypay
App NameOften disguised as utility/NFC tool
Native Librarieslibjiagu.so, libjgdtc.so
Path/data/data/<pkg>/.jiagu/libjiagu_64.so
Classcom.stub.StubApp
Suspicious String“entryRunApplication” – real app class
PermissionsNFC, Camera, Internet, Storage access
URLhttps://znfcqwe.top

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering" on…

55 minutes ago

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco Talos,…

1 hour ago

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability in…

1 hour ago

Guess Which Browser Tops the List for Data Collection!

Google Chrome has emerged as the undisputed champion of data collection among 10 popular web…

1 hour ago

DOGE Big Balls Ransomware Leverages Open-Source Tools and Custom Scripts for Multi-Stage Attacks

A recent discovery by Netskope Threat Labs has brought to light a highly complex ransomware…

1 hour ago

Ransomware-as-a-Service (RaaS) Emerges as a Leading Framework for Cyberattacks

Ransomware-as-a-Service (RaaS) has solidified its position as the dominant framework driving ransomware attacks in 2024,…

2 hours ago