TX-NFC represents a fundamental attack on the security assumption underpinning contactless payments worldwide — that physical proximity is a safeguard. It isn’t anymore. Group-IB’s Ghost Tap research, published in January 2026, was the first public disclosure of TX-NFC: a Chinese-language Fraud-as-a-Service operation supplying NFC-enabled Android malware to affiliates, enabling fraudsters to conduct unauthorized tap-to-pay transactions at physical POS terminals — with the victim’s card in an entirely different country.
The innovation is in the relay architecture. By exploiting Android’s Host Card Emulation (HCE) framework, TX-NFC apps emulate a victim’s card on the fraudster’s device, reproducing the NFC handshake at a POS terminal with full fidelity. A card stolen in Thailand gets used at a retailer in Germany. No physical card cloning. No magnetic stripe. Nothing visible at the point of sale.
TX-NFC is not one tool — it is a commercial ecosystem. The Telegram distribution channel accumulated over 21,000 subscribers, with subscription pricing running from $45 per day to $1,050 for three months, providing access to more than 54 distinct APK variants. From a single POS vendor alone, Group-IB documented at least $355,000 in illegitimate transactions between November 2024 and August 2025.
Key Numbers:
— $355,000+ in illegitimate transactions from a single POS vendor (Nov 2024–Aug 2025)
— 21,000+ Telegram channel subscribers
— 54+ distinct APK variants identified
— $45/day to $1,050/3-month subscription pricing
— Fraud reaches physical POS terminals worldwide from a single Android device
Global — Asia-Pacific (operator base; APAC primary fraud origin), with global reach enabled by NFC relay technology eliminating geographic constraints
At least $355,000 in documented illegitimate transactions from a single POS vendor; actual scale across all affiliates substantially higher. First documented by Group-IB Ghost Tap research.
Documented integration with fake government refund schemes using remote access tools to harvest card credentials and feed them directly into the NFC relay fraud pipeline — a multi-stage criminal supply chain spanning social engineering, credential theft, and physical-world card-present fraud.
TX-NFC bridges digital social engineering with physical-world fraud across four distinct stages.
Victims' card data (card number, expiry, CVV, and NFC token / card emulation data) is obtained through phishing, social engineering, or purchase from underground markets. TX-NFC affiliates use smishing and vishing campaigns to trick victims into installing malicious APKs and tapping their physical cards against their own Android devices — which captures the NFC card data. Parallel pipelines including fake government refund schemes in the Middle East supply additional card credentials.
Stolen card credentials are loaded into the NFC-enabled Android application. The app emulates the victim's card via the device's NFC antenna using Android's Host Card Emulation (HCE) framework. Over 54 APK samples have been identified, suggesting active development and iteration.
A mule carries the loaded Android device to a physical POS terminal and conducts a contactless transaction. The transaction appears legitimate because the NFC handshake mirrors a genuine card tap. The physical proximity requirement — the foundational security assumption of contactless payments — is completely bypassed.
Purchased goods are converted to cash or cryptocurrency through laundering channels. Illicitly acquired POS terminals from major institutions are openly advertised on Telegram for direct cash-out operations.
Unlike GoldFactory and CraxsRAT — which run malware on the victim’s device — TX-NFC malware runs on the fraudster’s device. The victim’s device can be fully secure, fully patched, and entirely malware-free. This makes it invisible to traditional mobile endpoint protection focused on device security.
What we're seeing with TX-NFC is a full supply chain: Chinese threat actors selling NFC-enabled Android apps across Telegram communities that let operators relay stolen card data and execute unauthorized tap-to-pay transactions remotely. Tracking that kind of network at scale requires connecting the dots across dark web intelligence, fraud network graphs, and mule account activity in real time.
Flag any contactless transaction where the POS terminal location is inconsistent with the cardholder's last known location based on mobile banking GPS or prior transaction history. This is the primary detection control against NFC relay fraud.
NFC relay attacks introduce measurable latency in the contactless communication sequence — the network hop between the relay app and the remote card data source differs from a genuine local tap in timing patterns detectable in real time.
to assess exposure scope and identify compromised card numbers before fraud occurs.
terminals processing abnormal volumes of contactless transactions from geographically dispersed cardholders within short time windows.
and enabling real-time transaction notifications for immediate fraud reporting.
TX-NFC is a Chinese-language Fraud-as-a-Service operation providing NFC-enabled Android malware enabling remote, unauthorized tap-to-pay transactions using stolen card credentials. Unlike traditional carding — which monetizes stolen card data through online purchases (card-not-present fraud) or counterfeit magnetic stripe cards — TX-NFC enables card-present fraud by relaying NFC signals, bypassing the physical proximity requirement that contactless payment security relies upon. Group-IB first published detailed technical analysis in its Ghost Tap research on January 16, 2026.
TX-NFC malware runs on the fraudster’s device, not the victim’s. The victim’s card data is obtained separately through phishing or underground markets and loaded into the relay app. This means TX-NFC can operate even when the victim’s own device is fully secure, fully patched, and free of any malware — making it invisible to traditional mobile endpoint protection. In contrast, GoldFactory and CraxsRAT both run on the victim’s device.
TX-NFC applications leverage Android’s Host Card Emulation (HCE) framework, which allows an Android device to emulate a contactless smart card via its NFC antenna. By loading stolen card token data into the HCE-enabled app, the fraudster’s device presents itself to a POS terminal as if it were the victim’s physical contactless card. Over 54 APK samples have been identified, indicating active development. The apps are distributed as side-loaded APKs through Telegram, bypassing Google Play Protect screening entirely.
The impact is amplified because transactions appear as legitimate card-present contactless payments, which typically carry lower fraud liability thresholds and faster approval rates. According to Group-IB’s Ghost Tap research, at least $355,000 in illegitimate transactions were recorded from one POS vendor alone between November 2024 and August 2025. Banks face direct fraud losses, chargeback costs, card reissuance expenses, and reputational damage. The actual scale across all affiliates globally is assessed as substantially higher than the documented single-vendor figure.
Group-IB analysts anticipate integration with more sophisticated social engineering schemes for credential harvesting, expansion beyond Chinese-language communities into English-speaking and Russian-speaking cybercrime ecosystems, and the development of anti-detection countermeasures against emerging NFC relay heuristics. As contactless payment adoption continues to accelerate globally — particularly in APAC and Europe — the addressable attack surface for TX-NFC-type operations grows proportionally.
First, activate geographic velocity monitoring immediately — flag and hold any contactless transaction where POS terminal location is inconsistent with the cardholder’s last known location. Second, query threat intelligence for your institution’s card BINs in TX-NFC-affiliated channels and underground markets to assess exposure scope. Third, deploy NFC handshake timing analysis at the payment processor level — relay attacks introduce measurable latency in the contactless communication sequence detectable in real time.
