New Cybercrime Technique “Ghost-Tapping” Targets Mobile Wallets

Paige Henley
Paige Henley Former Editor
Published on: August 21, 2025
Paige Henley Paige Henley Former Editor
Published on: August 21, 2025

A new cybercriminal scheme called “ghost-tapping” has emerged as a serious threat to contactless payments, enabling criminals to exploit stolen card details linked to services like Apple Pay and Google Pay.

The technique uses Near Field Communication (NFC) relay tactics to commit retail fraud, transforming stolen digital credentials into physical goods through a global network of mules and automated systems.

Analysts at Recorded Future describe it as a dangerous mix of old phishing tricks and new relay technology. “This represents a full end-to-end fraud operation, spanning multiple countries and criminal roles,” they said.

Unlike typical card fraud, which often stays online, ghost-tapping lets criminals make in-person purchases. “That makes detection much harder for traditional fraud monitoring systems,” analysts noted.

Recent reports from Singapore highlight the scale of the threat. Authorities recorded 656 cases of compromised cards tied to mobile wallets between October and December 2024, with losses topping $1.2 million SGD. At least 502 of those involved Apple Pay, showing how widely criminals are exploiting popular platforms.

Threat actors are advertising openly, too. Recorded Future identified a user called @webu8 on Telegram offering burner phones preloaded with stolen credentials. These devices sell for around $500 USDT when packed with ten compromised cards.

The attacks rely on tools such as NFCGate, originally built for legitimate testing but repurposed by criminals. Two phones running the app can relay stolen card data across locations in real-time, allowing a mule at a checkout terminal to process transactions as if the cardholder were present.

With operations traced to Cambodia and China, the scheme is already international. Analysts warn that ghost-tapping could outpace current fraud defenses. As they put it, “Even measures like multi-factor authentication can be bypassed when attackers already have full access to victims’ credentials.”

About the Author
Paige Henley
Paige Henley
Former Editor
Published on: August 21, 2025

About the Author

Paige Henley was an editor at SafetyDetectives. She has three years of experience writing and editing various cybersecurity articles and blog posts about VPNs, antivirus software, and other data protection tools. As a freelancer, Paige enjoys working in a variety of content niches and is always expanding her knowledge base. Outside of work, she raises orphaned neonatal kittens, works on DIY projects around the house, and enjoys movie marathons on weekends with her husband and three cats.