A new cybercriminal scheme called “ghost-tapping” has emerged as a serious threat to contactless payments, enabling criminals to exploit stolen card details linked to services like Apple Pay and Google Pay.

The technique uses Near Field Communication (NFC) relay tactics to commit retail fraud, transforming stolen digital credentials into physical goods through a global network of mules and automated systems.

Analysts at Recorded Future describe it as a dangerous mix of old phishing tricks and new relay technology. “This represents a full end-to-end fraud operation, spanning multiple countries and criminal roles,” they said.

Unlike typical card fraud, which often stays online, ghost-tapping lets criminals make in-person purchases. “That makes detection much harder for traditional fraud monitoring systems,” analysts noted.

Recent reports from Singapore highlight the scale of the threat. Authorities recorded 656 cases of compromised cards tied to mobile wallets between October and December 2024, with losses topping $1.2 million SGD. At least 502 of those involved Apple Pay, showing how widely criminals are exploiting popular platforms.

Threat actors are advertising openly, too. Recorded Future identified a user called @webu8 on Telegram offering burner phones preloaded with stolen credentials. These devices sell for around $500 USDT when packed with ten compromised cards.

The attacks rely on tools such as NFCGate, originally built for legitimate testing but repurposed by criminals. Two phones running the app can relay stolen card data across locations in real-time, allowing a mule at a checkout terminal to process transactions as if the cardholder were present.

With operations traced to Cambodia and China, the scheme is already international. Analysts warn that ghost-tapping could outpace current fraud defenses. As they put it, “Even measures like multi-factor authentication can be bypassed when attackers already have full access to victims’ credentials.”