PhantomCard Fraud: An Emerging NFC Relay Scheme

In mid-2025, a new credit-card fraud scheme began circulating in Brazil. Criminals persuade victims to bring their physical card close to a smartphone, which silently relays card data and authorizes unexpected payments.

Because the scheme is still relatively new, it appears under multiple names across threat forums and Telegram groups — including PhantomCard, Ghost NFC, NGate, NFC Relay, and Tap-On Fraud.

This post examines how the fraud works and highlights the latest observations from the Axur Research Team (ART). Although this case study originates in Brazil, the tactics mirror NFC relay schemes that have surfaced in Asia and Eastern Europe, making it relevant for global fraud-prevention teams.

How the scheme works

PhantomCard fraud relies on “Tap on Phone” (or “Tap to Pay”), a protocol that allows a smartphone to function as a contactless payment terminal. Any Android device running a modern OS version and equipped with a Near Field Communication (NFC) radio can support this protocol.

For this reason, many threat actors also refer to the technique simply as NFC Relay.

While iPhones also support NFC communication, Apple’s restrictions on sideloading and app distribution significantly limit the ability to deploy malicious relay apps — and no attempts to bypass these controls were observed. As a result, all activity identified so far is restricted to Android.

Once the victim installs the malicious app promoted by the fraudster, the device begins to operate like a payment terminal, waiting for a nearby card to interact via NFC.

Social engineering is critical. Victims must actively participate at every stage: installing the app, tapping the card to the device, and in some cases even entering the card’s PIN to “unlock” supposed security features.

To reduce suspicion, the malicious app is presented as a card authenticator — a tool that allegedly enables enhanced security or unlocks special benefits. None of these features exist. The purpose is purely deceptive.

When the victim follows the instructions, the smartphone acts as a relay (or proxy) between the criminal and the physical card, retransmitting NFC communication. With the relayed data, the attacker can authorize payments on behalf of the victim.

This is not a vulnerability in the card system itself. Instead, it exploits an Android ecosystem flow that enables data relaying to facilitate unauthorized transactions.

Distribution of malicious applications

The malicious apps involved in the PhantomCard scheme are distributed via fake websites that imitate the Google Play Store and claim to provide “security” features.

One observed page advertised:

• Real-time purchase validation with instant alerts

• Biometric authentication

• Online transaction approvals

• Full control over card authentications

These fake pages also mimic branding elements from financial institutions and payment providers and include fabricated reviews to increase credibility.

Because the page is fraudulent, nothing displayed is legitimate. Victims must enable installation from unknown sources to download the APK — a requirement that plays directly into the social-engineering narrative.

Pages analyzed by the ART — labeled “Card Authentication” — include timestamps from late September and October 2025, suggesting an active and recent campaign.

Attribution and cross-regional patterns

Although the campaign language and impersonated brands clearly target Brazilian consumers, several technical indicators point to likely involvement of Chinese threat actors. Two elements stand out:

• Use of IP ranges (ASNs) assigned to Hong Kong

• A URL containing the term “baxi”, a simplified transliteration of bā xī — “Brazil” in Chinese

NFC relay-based fraud has been documented in multiple countries, including China (also referred to there as NGate) and Russia. By contrast, Brazilian fraud ecosystems historically lean toward techniques such as overlay attacks or “ghost hand” operations to capture credentials.

The adoption of NFC relay tactics represents a departure from typical local patterns, suggesting collaboration or tooling exchange between operators across regions.

Recommendations

Because victims do not understand that tapping their card on the smartphone will trigger a charge, disputes and chargebacks are highly likely, creating losses for issuers, acquirers, merchants, and cardholders.

Brand monitoring combined with rapid takedown of fraudulent pages is an effective mitigation strategy. Criminals rely on recognizable financial-sector brands to lend legitimacy to the malicious app.

Monitoring helps protect both the institution and its customers by reducing confusion caused by fake “security” apps.

Axur’s platform provides automated brand-monitoring and takedown capabilities to disrupt these campaigns at scale.

Indicators of Compromise (IoCs)

Fraud Neuron

Axur’s Cyber Fraud Modeling Initiative

Fraud Neuron is a cyber-fraud modeling project currently under development by the Axur Research Team in collaboration with industry partners. The goal is to build a framework that accurately represents real-world fraud patterns observed in Brazil and Latin America, enabling future statistical analysis and more effective mitigation techniques.

Below is the current Fraud Neuron mapping for NFC relay fraud: