Full Report
Explore how Chinese-speaking cybercriminals use NFC relay fraud ("ghost-tapping") to exploit mobile wallets, conduct retail fraud, and launder funds via Telegram.
Analysis Summary
# Threat Actor: Chinese-Speaking Threat Actors (Syndicates) engaged in Ghost-Tapping Fraud
## Attribution & Identity
The primary actors are identified as **Chinese-speaking threat actors** operating within organized **syndicates**. A key individual/entity, **@webu8** on Telegram, was identified advertising services and burner phones related to ghost-tapping. These groups are believed to be established, **Southeast Asia-based criminal groups** with prior involvement in scamming activities (e.g., romance, investment, cryptomining) since 2020. Some actors are reported to operate domestically within China, while others are active in Singapore, Malaysia, Thailand, and the Philippines.
## Activity Summary
The main activity discussed is **Ghost-Tapping**, which involves Near Field Communication (NFC) relay tactics to commit sophisticated retail fraud using stolen payment card details linked to mobile payment services (like Apple Pay and Google Pay).
Cybercriminals automate the process of adding stolen payment card information to contactless payment wallets. Mules are then deployed in person to purchase physical goods (like luxury items, jewelry, and mobile phones) or conduct contactless ATM withdrawals. These goods are subsequently resold for profit. The activity is heavily facilitated through decentralized digital marketplaces on Telegram, formerly **Huione Guarantee**, and currently platforms like **Xinbi Guarantee** and **Tudou Guarantee**, which serve as "one-stop shops" for recruiting mules (including ghost-tapping, transportation, resellers, and money laundering personnel).
## Tactics, Techniques & Procedures
- **NFC Relay Tactics (Ghost-Tapping):** Relaying payment information from a victim's card/device to a payment terminal without device possession, enabled by relay software/peripherals. This is described as **NFC relay fraud**.
- **Mobile Wallet Loading:** Phishing or procuring stolen payment card credentials and loading them onto contactless mobile wallets. This process sometimes requires intercepting One-Time Passwords (OTPs).
- **Automation:** Using automation to add stolen payment card data to wallets and managing the distribution of burner phones.
- **Mule Recruitment and Deployment:** Hiring "drivers" (chou shou) and "motorcades" (che dui) to perform in-person transactions and ATM withdrawals.
- **Resale:** Selling fraudulently obtained physical goods for cash or cryptocurrency on cybercrime marketplaces.
- **Infrastructure Pivoting:** Shifting operations to new Telegram-based marketplaces (Xinbi Guarantee, Tudou Guarantee) following the purported shutdown of Huione Guarantee.
## Targeting
- **Sectors:** Retail, Banking, Contactless Payment Providers, and Insurance Companies (due to unauthorized transactions).
- **Geography:** Singapore (where high-profile arrests have occurred), Cambodia, China, Malaysia, Thailand, and the Philippines. The technique is assessed to be globally applicable.
- **Victims:** Payment cardholders whose credentials are stolen and used for unauthorized transactions.
## Tools & Infrastructure
- **Malware families used:** Mentioned only generally regarding phishing campaigns used to compromise cards and intercept OTPs.
- **Infrastructure (C2, domains, IPs):**
- Recruitment and commerce platforms: Telegram channels/marketplaces, specifically **Huione Guarantee, Xinbi Guarantee, and Tudou Guarantee**.
- Relay Tools: Open-source NFC relay tools like **NFCGate** were mentioned in the context of the technique's background.
- Physical items: Burner phones are advertised and recycled for campaigns.
## Implications
Ghost-tapping campaigns pose a difficult-to-detect threat to the retail and banking sectors because retail stores often lack robust Know-Your-Customer (KYC) checks, allowing mules disguised as tourists to easily cash out stolen credentials. The success of these campaigns is funneling significant financial resources into criminal syndicates. There is a high likelihood of global expansion, potentially involving threat actors providing tailored tooling for non-Chinese speaking syndicates.
## Mitigations
- **Stricter KYC Measures:** Implementing more stringent Know-Your-Customer standards at retail locations.
- **Enhanced Payment Security:** Banks should introduce more stringent security features for mobile wallets to prevent compromised card credentials from being linked successfully, similar to measures implemented by DBS.
- **Monitoring Criminal Marketplaces:** Continued monitoring of known Telegram marketplaces (Xinbi Guarantee, Tudou Guarantee) for ongoing recruitment and intelligence gathering, acknowledging that actors may pivot to more secure platforms if these are disrupted.