{"id":29955,"date":"2026-01-13T15:06:00","date_gmt":"2026-01-13T20:06:00","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/?p=29955"},"modified":"2026-01-20T12:55:49","modified_gmt":"2026-01-20T12:55:49","slug":"nfc-gate-relay-attacks-2026","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/nfc-gate-relay-attacks-2026\/29955\/","title":{"rendered":"NFC skimming attacks"},"content":{"rendered":"

Thanks to the convenience of NFC and smartphone payments, many people no longer carry wallets or remember their bank card PINs. All their cards reside in a payment app, and using that is quicker than fumbling for a physical card. Mobile payments are also secure \u2014 the technology was developed relatively recently and includes numerous anti-fraud protections. Still, criminals have invented several ways to abuse NFC and steal your money. Fortunately, protecting your funds is straightforward: just know about these tricks and avoid risky NFC usage scenarios.<\/p>\n

What are NFC relay and NFCGate?<\/h2>\n

NFC relay is a technique where data wirelessly transmitted between a source (like a bank card) and a receiver (like a payment terminal) is intercepted by one intermediate device, and relayed in real time to another. Imagine you have two smartphones connected via the internet, each with a relay app installed. If you tap a physical bank card against the first smartphone and hold the second smartphone near a terminal or ATM, the relay app on the first smartphone will read the card\u2019s signal using NFC, and relay it in real time to the second smartphone, which will then transmit this signal to the terminal. From the terminal\u2019s perspective, it all looks like a real card is tapped on it \u2014 even though the card itself might physically be in another city or country.<\/p>\n

This technology wasn\u2019t originally created for crime. The NFCGate app appeared in 2015 as a research tool after it was developed by students at the Technical University of Darmstadt in Germany. It was intended for analyzing and debugging NFC traffic, as well as for education purposes and experiments with contactless technology. NFCGate was distributed as an open-source solution and used in academic and enthusiast circles.<\/p>\n

Five years later, cybercriminals caught on to the potential of NFC relay and began modifying NFCGate by adding mods that allowed it to run through a malicious server, disguise itself as legitimate software, and perform social engineering scenarios.<\/p>\n

What began as a research project morphed into the foundation for an entire class of attacks aimed at draining bank accounts without physical access to bank cards.<\/p>\n

A history of misuse<\/h2>\n

The first documented attacks using a modified NFCGate occurred in late 2023 in the Czech Republic. By early 2025, the problem had become large scale\u00a0 and noticeable: cybersecurity analysts uncovered more than 80 unique malware samples built on the NFCGate framework. The attacks evolved rapidly, with NFC relay capabilities being integrated into other malware components.<\/p>\n

By February 2025, malware bundles combining CraxsRAT and NFCGate emerged, allowing attackers to install and configure the relay with minimal victim interaction. A new scheme<\/a>, a so-called \u201creverse\u201d version of NFCGate, appeared in spring 2025, fundamentally changing the attack\u2019s execution.<\/p>\n

Particularly noteworthy is the RatOn Trojan<\/a>, first detected in the Czech Republic. It combines remote smartphone control with NFC relay capabilities, letting attackers target victims\u2019 banking apps and cards through various technique combinations. Features like screen capture, clipboard data manipulation, SMS sending, and stealing info from crypto wallets and banking apps give criminals an extensive arsenal.<\/p>\n

Cybercriminals have also packaged NFC relay technology into malware-as-a-service (MaaS) offerings, and reselling them to other threat actors through subscription. In early 2025, analysts uncovered a new and sophisticated Android malware campaign in Italy, dubbed SuperCard X<\/a>. Attempts to deploy SuperCard X were recorded in Russia in May 2025, and in Brazil in August of the same year.<\/p>\n

The direct NFCGate attack<\/h2>\n

The direct attack is the original criminal scheme exploiting NFCGate. In this scenario, the victim\u2019s smartphone plays the role of the reader, while the attacker\u2019s phone acts as the card emulator.<\/p>\n

First, the fraudsters trick the user into installing a malicious app disguised as a banking service, a system update, an \u201caccount security\u201d app, or even a popular app like TikTok. Once installed, the app gains access to both NFC and the internet \u2014 often without requesting dangerous permissions<\/a> or root access. Some versions also ask for access to Android accessibility features<\/a>.<\/p>\n

Then, under the guise of identity verification, the victim is prompted to tap their bank card to their phone. When they do, the malware reads the card data via NFC and immediately sends it to the criminals\u2019 server. From there, the information is relayed to a second smartphone held by a money mule, who helps extract the money. This phone then emulates the victim\u2019s card to make payments at a terminal or withdraw cash from an ATM.<\/p>\n

The fake app on the victim\u2019s smartphone also asks for the card PIN \u2014 just like at a payment terminal or ATM \u2014 and sends it to the attackers.<\/p>\n

In early versions of the attack, criminals would simply stand ready at an ATM with a phone to use the duped user\u2019s card in real time. Later, the malware was refined so the stolen data could be used for in-store purchases in a delayed, offline mode, rather than in a live relay.<\/p>\n

For the victim, the theft is hard to notice: the card never left their possession, they didn\u2019t have to manually enter or recite its details, and the bank alerts about the withdrawals can be delayed or even intercepted by the malicious app itself.<\/p>\n

Among the red flags that should make you suspect a direct NFC attack are:<\/p>\n