Chinese Cybercriminals Unleash Z-NFC Tool for Targeted Payment Fraud
TL;DR
Chinese cybercriminals have developed the Z-NFC tool to exploit NFC technology for payment fraud, targeting major financial institutions and consumers globally. This tool leverages vulnerabilities in contactless payments, leading to significant financial losses.
Main Content
Chinese Cybercriminals Exploit NFC for Large-Scale Payment Fraud
Cybercriminals are increasingly leveraging Near Field Communication (NFC) technology to perpetrate fraud against ATMs and POS terminals, resulting in substantial financial losses for consumers. A recent investigation by Resecurity (USA) revealed multiple incidents in Q1 2025, causing damages exceeding several million dollars for a top Fortune 100 financial institution in the United States. The challenges in stopping these cybercriminals, who operate from China, are compounded by geopolitical, technical, and organizational factors1.
Targeting Mobile Wallets
Cybersecurity experts have identified several Chinese cybercriminal groups focusing on Google and Apple Wallet customers. These groups employ tactics centered around abusing contactless payments and misusing NFC technology to carry out fraudulent activities. Analysts from Resecurity’s HUNTER unit discovered a group on Telegram offering the Z-NFC tool for sale, designed to facilitate these fraudulent transactions. Another tool, known as King NFC, was previously marketed on the Dark Web as an alternative2.
Automating Fraud with Android Devices
Primarily, these actors use Android-based phones with numerous cards “loaded” into mobile wallets for further fraudulent activities. In one instance, cybercriminals targeted specific banks, including Barclays, Bank of Scotland, Lloyds Banking Group, Halifax, HSBC, Santander, Wise, and Revolut, to automate fraudulent transactions.
Understanding the Mechanism
These fraudulent apps utilize Host Card Emulation (HCE) to mimic a physical ISO 14443 NFC smart card by registering a service that extends HostApduService. This allows the app to respond to APDU command sequences like a card. APDU (Application Protocol Data Unit) commands are the standardized communication units used between a smart card reader and a smart card. Cybercriminals exploit this approach by manipulating HCE to process compromised credit card data via NFC3.
Exploiting Contactless Payments
Traditional payments typically require a Cardholder Verification Method (CVM) such as a PIN or signature. However, for low-value contactless payments below the “Contactless CVM limit,” no CVM is required, allowing consumers to simply tap and go. Cybercriminals exploit this vulnerability by executing multiple small transactions using a high volume of compromised cards4.
Soft POS Solutions
In addition to traditional POS terminals, cybercriminals are also abusing “tap on phone” software solutions, known as Soft POS. These solutions transform NFC-enabled Android smartphones, tablets, and other handheld devices into payment terminals, further facilitating fraudulent activities5.
Global Adoption of NFC
Today, it is estimated that 1.9 billion phones worldwide are NFC-enabled, highlighting the rapid adoption of this technology6.
Follow for More Updates
Follow me on Twitter, Facebook, and Mastodon for more updates.
For more details, visit the full article: source.
Conclusion
The rise of NFC-enabled fraud highlights the urgent need for enhanced security measures in contactless payment systems. As cybercriminals continue to exploit vulnerabilities in this technology, it is crucial for financial institutions and consumers to stay vigilant and adapt to emerging threats.