South Korean police on Thursday announced the arrest of the second and final suspected ringleader of a hacking syndicate that stole 48.4 billion won ($31.9 million) from 28 people while targeting 271 in total, closing an investigation that mobilized 55 detectives across nearly four years. The suspect, a 40-year-old Chinese national, was extradited from Bangkok to Incheon International Airport on May 13 and faces 18 charges, including computer fraud and violations of South Korea’s communications privacy law. He is expected to be formally referred to prosecutors by May 22.

The BTS vocalist Jungkook’s name attached to this case early, and that is where most reporting landed. His brokerage account was frozen before any transfer cleared, and he lost nothing. The victims who actually lost money were chosen for a very different reason: corporate executives with large, illiquid positions; prisoners who could not check a banking app; soldiers locked into mandatory military service; and, confirmed by investigators, people who had already died.

Two Phases, Four Years, 48 Billion Won

The syndicate operated in two distinct technical phases, each abandoned only when its predecessor became too costly to sustain. Police described the evolution as a direct response to carrier security countermeasures, not an unplanned pivot.

The first phase, SIM cloning, began in May 2022. Investigators found that the group had copied the unique authentication credentials of 13 victims from their subscriber identity module (SIM) cards onto blank replacements, producing what police call “twin SIMs.” With a duplicate card, any one-time password or SMS verification text sent to the legitimate account holder arrives instead on the fraudulent copy. Four victims lost 8.9 billion won in cryptocurrency before telecom providers updated their authentication logic enough to make cloning impractical.

So the operation changed course. From July 2023 onward, overlapping the final months of the cloning phase, the group pivoted to hacking the online activation portals of budget mobile carriers directly. That shift was far more productive, and the losses in the second phase are more than four times those of the first.

• 48.4 billion won ($31.9M) stolen from 28 confirmed victims out of 271 targeted
• 271 individuals in the crosshairs; fewer than one in nine was successfully defrauded
• 8.9 billion won in Phase 1 cryptocurrency losses across four victims
• 39.5 billion won extracted in Phase 2 via fraudulent SIM activations; a further 25 billion won theft attempt was blocked

The Silence-First Target List

The syndicate’s victim selection was organized around a single practical question: how long before this person notices? Investigators at the Seoul Metropolitan Police Agency’s Cyber Investigation Unit described the group as deliberately choosing individuals whose losses were unlikely to be detected or addressed promptly. Celebrities and executives appeared on the list not because of notoriety but because their accounts held large balances that could be moved in single transactions.

The less-discussed categories were the more deliberate ones. Prisoners cannot access a smartphone. Soldiers serving mandatory conscription have limited time with personal devices. Deceased individuals leave accounts that surviving family members may not actively monitor. Police confirmed all three as intentional targeting categories alongside the executives and influencers, not incidental additions to the victim roster.

Among the 28 confirmed victims, investigators identified 10 high-ranking corporate executives, three celebrities and influencers, and three cryptocurrency investors. Three more were connected to companies within South Korea’s top 100 conglomerates. The losses fell sharply unequal: one victim alone accounted for 21.3 billion won, nearly half the total confirmed losses, in what prosecutors described as the case’s most destructive single incident.

That distribution reveals the scheme’s internal logic. Scale comes from targets with large accounts. Operational safety comes from targets who cannot fight back fast. The syndicate optimized for both simultaneously, which is why the confirmed victim list includes conglomerate executives alongside prisoners and the deceased.

• 10 senior corporate executives at major Korean companies
• 3 celebrities and social media influencers
• 3 cryptocurrency investors
• Individuals linked to 3 companies within South Korea’s top 100 conglomerates
• Active-duty military service members under mandatory conscription
• Incarcerated individuals and, in confirmed cases, deceased persons

Budget Carriers as the Weak Link

Phase One: Copying the SIM

SIM cloning did not require physical access to a victim’s handset. The group harvested authentication credentials through breaches of public and private digital platforms, then transferred those credentials to blank SIM cards obtained separately. From a carrier’s perspective, the cloned card is indistinguishable from the original; it presents identical authentication data and passes the same network identity checks.

Thirteen victims had their SIM credentials compromised this way. When carriers eventually tightened their protocols and cloning became unworkable, the group did not stop. It looked for the next exploitable gap in the same identity infrastructure, and the budget carrier activation portals were it.

Phase Two: Hacking the Portal

Mobile virtual network operators (MVNOs, carriers that lease network capacity from South Korea’s three major telecoms rather than operating their own towers) had built non-face-to-face activation systems as a customer convenience feature. A new subscriber could sign up entirely online by uploading a copy of an identity document, with no in-person appearance or biometric check required. The syndicate treated those portals as an entry point, not a friction point.

Investigators found that the group breached more than ten such portals between July 2023 and April 2025. Using identity data already exfiltrated from government agencies and financial platforms, they registered 122 SIM cards under the names of 92 real people. Those authenticated phone numbers cleared two-factor authentication at banks, brokerage accounts, and cryptocurrency exchanges. The group also breached more than ten separate public and private platforms to access the financial records of 195 individuals, feeding the pipeline with a continuous supply of fresh credentials.

The scale of the underlying structural failure became clear months after the arrests. Per National Police Agency data on ghost-phone cases, MVNOs accounted for 92.3 percent of all fraudulent phone registrations detected nationwide in 2024, totaling 89,927 of 97,399 reported incidents. The syndicate’s fraudulent activations were one criminal operation inside a much broader sector-wide vulnerability.

A School-Day Partnership Behind 32 Suspects

The two ringleaders had known each other since their school days, according to police. The first, a 36-year-old Chinese national, was operating out of Thailand when South Korean authorities obtained an emergency provisional arrest measure and extradited him to Seoul in August 2025; he was indicted the following month and remains on trial. The second, the 40-year-old now in custody after arriving at Incheon Airport on May 13, faces 18 charges. Both Chinese nationals ran their hacking operations from overseas bases, with the network spanning China and Thailand, before coordination with Interpol’s cybercrime division helped bring both extraditions to completion.

Below those two, 55 investigators tracked a 30-member support structure whose roles were deliberately compartmentalized: managers who processed stolen identity data, field operatives who executed SIM activations and financial transactions, and money-laundering specialists who moved funds across jurisdictions. The 30 additional members reportedly included unemployed individuals, self-employed workers, and university students. Police worked the case for three years and eleven months. Detection did not prevent Phase 2 from running; it only accelerated its end.

The ₩8.4 Billion HYBE Attempt, and the ₩21.3 Billion That Wasn’t Stopped

In January 2024, while Jungkook was completing mandatory military service, the syndicate accessed a securities account in his name and attempted to transfer 33,500 shares of HYBE, the entertainment company behind BTS. The shares were worth approximately 8.4 billion won at the time. BigHit Music, HYBE’s subsidiary label for Jungkook’s management, moved to freeze the account after authorities flagged the irregularity. No funds transferred.

The same investigation produced a very different result for the unnamed victim who lost 21.3 billion won in a single incident, the case’s largest individual loss. Police separately report recovering approximately an equivalent amount through suspicious-transaction detection systems at financial institutions, though whether that recovery was fully realized is not confirmed in publicly available filings. Investigators also froze accounts containing 12.8 billion won as the case developed.

This incident of bypassing the non-face-to-face authentication system is ‘unprecedented,’ and the vast sums accessed ‘could have easily led to an even bigger crime.’

Oh Gyu-sik, head of the Seoul Metropolitan Police Agency’s 2nd Cyber Investigation Unit, made that statement when an earlier phase of arrests was announced. The framing reflects how investigators read the case: not as a finished chapter, but as a demonstration of what becomes possible when authentication gaps exist at scale and credentials are already in circulation.

South Korea Closes the Loophole, for Now

South Korea’s Ministry of Science and ICT piloted a facial recognition requirement for new SIM registrations from December 23, 2025, and moved to full mandatory implementation on March 23, 2026. The policy now applies to all three major mobile carriers and every MVNO operating in the country. Under the system, a biometric match between a subscriber’s government-issued ID photo and a real-time facial scan must clear before any SIM is activated, whether the transaction is in-person or through an online portal.

The MVNO sector, responsible for 92.3 percent of all ghost-phone activations caught in 2024, faces the sharpest compliance obligations. Per the Ministry of Science and ICT’s December 2025 policy announcement, carriers that fail to apply the biometric check face accountability measures for repeated illegal activations. A separate investigation uncovered 11,000 ghost SIM cards registered through stolen foreign passport copies, causing an estimated 96 billion won in damages, confirming that the problem extended well beyond this one syndicate.

Police closed their statement on the case with an unusual admission: this was “a new type of crime that is difficult to find precedents globally.” The underlying mechanism is less novel. If identity credentials are already compromised at the database level and SIM activation requires no biometric gate, the combination is a ready-made account-takeover pipeline. The facial verification mandate closes the activation end of that pipeline, and has been in force since late March.

If the biometric rollout holds without new workarounds and MVNO operators apply the checks consistently, the non-face-to-face activation gap this syndicate exploited for nearly two years will be closed for good. But the government agencies and financial platforms that surrendered the identity credentials of 195 individuals to the group remain the open variable. The Ministry’s policy addresses one gate. The upstream breach problem that stocked the syndicate’s pipeline is still an unsettled question for Korean regulators.

Macquarie Group, the Sydney-based financial services and investment banking firm, disclosed in a first-quarter 2026 13F filing with the U.S. Securities and Exchange Commission that it cut its position in BlackRock’s spot Bitcoin exchange-traded fund, the iShares Bitcoin Trust (IBIT), by about 19.3%, reducing its stake from 5.126 million shares to 4.139 million. The Australian institution also trimmed its holding in BlackRock’s spot Ether ETF (ETHA) by roughly 9.5%, and simultaneously opened a fresh equity position in BitMine Immersion Technologies (NYSE: BMNR), the world’s largest Ethereum treasury company, valued at approximately $41.53 million as of March 31.

Two passive wrapper positions cut, one new operating-company stake built. Taken together, the disclosure sketches a deliberate portfolio decision to reduce index-style crypto access while adding equity with considerably higher leverage to Ethereum’s next price move.

Two ETF Cuts, One New Equity Bet

The mechanics of the repositioning are legible in three line items from the 13F. Macquarie’s IBIT stake fell from 5.126 million shares in Q4 2025 to 4.139 million in Q1 2026. The dollar value of that holding dropped to $159 million from $255 million, a combined result of deliberate selling and Bitcoin’s steep price decline through the period.

The Ether ETF followed a similar path. Holdings contracted from 3.634 million shares to 3.289 million, and the stake’s value fell from $81.5 million to about $52.1 million. BlackRock launched its iShares Bitcoin Trust spot ETF product in January 2024 and added ETHA that July; Macquarie built positions in both products as the spot ETF market attracted institutional capital through 2024 and into 2025.

The new entry is BMNR. Macquarie carried no prior position in the Ethereum treasury operator. The March 31 valuation placed the fresh stake at $41.53 million, making it a net addition to the book rather than a direct substitution within an existing line item.

Bitcoin’s Worst Quarter in Several Years

The market backdrop for Q1 2026 was punishing for passive crypto holders. Bitcoin fell from approximately $87,000 at the start of January to roughly $66,000 by the end of March, its steepest quarterly decline in several years. Oil prices pushed above $100 per barrel on Strait of Hormuz tensions, the Federal Reserve shelved any prospect of near-term rate cuts, and crypto ETFs bled capital through January and February before a partial March recovery returned approximately $1.3 billion in industry-wide inflows to the Bitcoin ETF complex.

The Bitcoin fund absorbed those swings while maintaining roughly $54 billion in assets under management and commanding close to 49% of the U.S. spot Bitcoin ETF market by assets through the quarter. The broader institutional bid held even as prices fell, though Macquarie was clearly among those reducing rather than adding to their exposure during the downturn.

The spot Ether fund had a steeper run. The product declined about 20% through the first quarter, consistent with Ethereum’s heightened sensitivity to macro risk-off conditions relative to Bitcoin. Some of the dollar-value contraction in Macquarie’s two ETF stakes was therefore automatic, a direct function of lower asset prices applied to unchanged share counts. The deliberate reductions in share count on top of that price effect represent the active portfolio decision that shows up in the filing.

BitMine’s Ethereum Treasury Machine

BitMine Immersion Technologies operates as a corporate Ethereum treasury, with a stated business purpose of acquiring the token, holding it on its balance sheet, staking it for network yield, and accumulating more through ongoing capital raises. The company targets ownership of 5% of Ethereum’s total circulating supply, a goal it has been approaching rapidly.

BitMine’s April 9, 2026 NYSE uplisting 8-K filed with the SEC confirmed the company’s transition from NYSE American to the main exchange, marking a significant shift in institutional profile. Thomas Lee, Chairman of BitMine Immersion Technologies, described the move as a milestone for the company. The uplisting came after a period of rapid ETH accumulation that established the firm as the largest single corporate holder of the token globally.

Today, Bitmine achieved a major milestone by being uplisted to the Big Board NYSE.

Thomas Lee, Chairman of BitMine Immersion Technologies, in an April 9, 2026 announcement filed with the U.S. Securities and Exchange Commission.

As of May 17, 2026, per BitMine’s May 2026 8-K with the SEC, the company held 5.278 million ETH at $2,191 per token, a position representing 4.37% of the 120.7 million token circulating supply. Its MAVAN infrastructure, the Made in America Validator Network, had 4.71 million of those tokens staked with annualized revenues of $289 million at a 2.8% yield.

Key metrics from the company’s most recent SEC filing:

• 5.278 million ETH held in treasury as of May 17, 2026
• 4.37% of the total Ethereum circulating supply controlled by a single corporate entity
• $289 million in annualized staking revenues via the MAVAN platform at 2.8% annual yield
• $12.6 billion in combined crypto holdings, cash, and equity stakes including positions in Beast Industries and Eightco Holdings

Institutional backers listed in BitMine’s SEC filings include ARK Investment Management, Founders Fund, Pantera Capital, Kraken, Digital Currency Group, and Galaxy Digital.

ETF Wrapper Versus Operating Equity: The Risk Calculus

Holding a spot crypto ETF is a clean transaction. At 0.25% in annual fees, IBIT and its Ether counterpart deliver Bitcoin and Ethereum price performance with minimal operational friction. There is no management team whose decisions affect returns, no net-asset-value premium or discount to worry about, and exit works precisely the same way as entry.

Holding an Ethereum treasury company is structurally different. The share price reflects supply and demand for the equity rather than the underlying token value in any mechanical way. When institutional optimism is high, treasury-company stocks frequently trade at a sustained premium to net asset value. Strategy Inc. (NASDAQ: MSTR) ran this playbook with Bitcoin for much of the past two years, and its equity returns substantially outpaced Bitcoin in rising markets precisely because the NAV premium compounded on top of the asset appreciation. BitMine is running the same model for Ethereum, with the added dimension of MAVAN staking yield generating ongoing cash flows alongside the treasury appreciation thesis.

That operating leverage cuts both ways. The treasury stock’s 52-week share range of $3.20 to $161.00 illustrates what the downside of that structure looks like. A spot Ether fund tracks Ethereum lower in a transparent, proportional way. A treasury operating company in a prolonged crypto correction can reprice below net asset value, adding execution risk and structural discount on top of the underlying decline. Ongoing equity raises to fund fresh token purchases also dilute existing shareholders, introducing a headwind that passive ETF holders never face.

Macquarie’s $41.53 million stake in the treasury operator sits alongside a $159 million position in the Bitcoin fund that remains the largest line item in its crypto book. The construction is additive and calibrated: broad Bitcoin ETF exposure at scale, a trimmed Ether ETF position, and a treasury-company bet that amplifies returns if Ethereum moves higher. The relative sizing reflects deliberate risk management rather than wholesale conviction in the treasury-company format.

The Payoff If Ethereum Moves, Scored Two Ways

Scenario one: Ethereum re-rates above $3,000 through the remainder of 2026. The company’s treasury grows in absolute dollar terms, the 2.8% MAVAN staking yield applies to a larger base, and any NAV premium the equity market assigns to the treasury stock amplifies the equity gain above what the spot Ether fund alone would deliver. In that scenario, trimming the Ether fund and buying the treasury equity looks like the correct call, and the Q1 repositioning earns a favorable reading on the Q2 filing.

Scenario two: crypto extends its first-quarter slide or grinds sideways. The Ether fund tracks Ethereum lower in a clean, proportional way. The treasury stock potentially drops faster, because the market discounts not just the token decline but the execution risk and dilution drag from a company continuing to raise equity capital to purchase more of a falling asset. The $41.53 million position would shrink by more per dollar than an equivalent spot Ether ETF stake would.

The MAVAN staking yield provides a limited buffer in the flat scenario. At 2.8% annualized on 4.71 million ETH staked, it generates cash flows tied to Ethereum’s network utilization rather than its spot price. That yield does not protect against a serious correction, but it converts part of the position from pure price speculation into a yield-generating operation, changing the cost-of-carry calculus for a long-term holder willing to ride out volatility.

Macquarie’s Q2 2026 13F filing is due 45 days after June 30. If the Ethereum treasury stake grew as a share of the crypto book in the second quarter, the conviction call is deepening. If it shrank, the Q1 trade looks more like a tactical experiment than a structural shift in how one of Australia’s largest financial institutions thinks about crypto equity versus crypto wrappers.

Disclaimer: This article is for informational purposes only and does not constitute investment advice. Holdings in IBIT, ETHA, and BMNR involve significant financial risk, including the potential for total loss of invested capital. Consult a qualified financial professional before making any investment decisions. Figures cited are accurate as of publication on May 21, 2026.

For most of 2024 and into 2025, the business of NFC relay fraud ran through Chinese-controlled infrastructure. Malware-as-a-Service (MaaS, a subscription model that packages attack tooling for affiliates who lack the technical skill to build it) platforms like SuperCard X supplied pre-built relay engines to regional operators, keeping the dangerous engineering tightly concentrated. That concentration ended in 2026. Cleafy’s Threat Intelligence and Response (TIR) team has identified two new Android malware families, DevilNFC and NFCMultiPay, built from scratch by independent Spanish-speaking and Brazilian Portuguese-speaking groups respectively, and both are conducting live attacks against banking customers across Europe and Latin America.

Neither family shares code or infrastructure with the Chinese ecosystem they effectively displaced, and neither required a MaaS subscription to deploy. Local criminal crews now possess the full build capability, and generative AI helped them get there faster than any previous generation of mobile malware.

How a Chinese Monopoly on NFC Malware Ended

The architectural foundation for almost every NFC relay attack documented through 2025 traces back to NFCGate, the open-source NFC research framework developed by researchers at the Technical University of Darmstadt. Built to study NFC vulnerabilities in controlled environments, NFCGate found a second life in criminal tooling as groups discovered it could just as easily underpin a live attack chain. The ecosystem of families derived from it grew steadily: NGate, KingNFC, X-NFC, and related variants each repackaged the same relay core under new branding and distribution channels, but none reinvented the underlying mechanics.

SuperCard X, documented by Cleafy in April 2025 in a full analysis of the Chinese-speaking MaaS NFC relay operation, became the industrialized form of this approach. The platform promoted itself through Telegram channels, sold a two-application Reader/Tapper architecture to paying affiliates, and confirmed at least one active campaign in Italy. Chinese-speaking developers held the tooling layer and were not distributing source code. Paying a subscription and following an operational playbook was all an affiliate needed; the relay infrastructure was ready to deploy without touching the underlying build.

What changed in 2026 was not a new attack technique but a new economic reality. Open-source repositories hosting leaked malware code, combined with uncensored generative AI models that could help non-expert developers patch, extend, and localize that code, compressed a capability gap that had previously kept NFC relay development inside a small circle of technically sophisticated actors. Two independent regional groups reached build capability at roughly the same time, against the same target class, from opposite sides of the Atlantic.

DevilNFC’s Dual-Role Architecture

Victim Side: A Passive NFC Reader

On an unrooted victim device, DevilNFC behaves unremarkably. The application presents itself as a mandatory banking security update, requests minimal permissions, and passes basic automated security scans without triggering alerts. Its reader component uses standard Android NFC APIs to capture contactless payment card data when the victim taps their physical card against the device, staying below the detection threshold of most mobile security tooling.

Distribution begins with a phishing message, typically delivered via SMS or WhatsApp, that frames the download as an urgent requirement from the victim’s bank. The social engineering template is not embedded in the APK but fetched from the attacker’s command-and-control (C2) server at runtime, meaning the fraudulent banking interface can be swapped for a different institution’s branding without redeploying the application. Cleafy identified two C2 domains linked to DevilNFC operations: nfcrackatm.com and spicynagets.shop, both serving as relay server endpoints.

Attacker Side: A System-Level Card Emulator

The same APK transforms into something categorically more powerful when installed on a rooted attacker device. Using the Xposed Framework to inject hooks directly into Android’s NFC daemon, DevilNFC intercepts NFC traffic at the system level, well below the standard Android API layer where conventional detection operates. A derivative of the NFCGate relay core then converts the attacker’s hardware into a live host card emulator: the attacker’s phone presents the victim’s card data to any contactless point-of-sale (POS) terminal or ATM as though the physical card were present.

This asymmetric architecture sets DevilNFC apart within the threat class. A single APK carries both roles. Installed on different hardware configurations, it performs entirely different functions in the same attack. Security teams scanning the APK on a standard unrooted test device observe only the passive reader behavior; the emulation capability surfaces exclusively in the attacker’s rooted environment, making lab-based static analysis an unreliable detection method.

Kiosk Mode locks the victim’s screen from the moment the application launches, hiding the system UI and overriding the hardware back button with an empty handler. There is no way to exit the fraudulent banking interface while the relay session runs. A fake verification pop-up, rendered from a C2 template, prompts the victim to enter their PIN after the first card tap. That PIN is exfiltrated in plaintext to two simultaneous destinations: a dedicated C2 endpoint and the attacker’s private Telegram channel, transmitted alongside the bank name and the victim’s public IP address.

NFCMultiPay Takes a Simpler Path

Where DevilNFC deploys system-level hooking and requires a rooted attacker device, NFCMultiPay reaches the same outcome with considerably less infrastructure. Written entirely in pure Java with no native libraries and no root requirement on either device, it routes the NFC relay exchange through a cloud broker using event-driven MQTT (Message Queuing Telemetry Transport, a lightweight publish/subscribe protocol common in IoT applications) over TCP port 1883. This replaces the REST polling approach of earlier build versions and eliminates the latency gap that could interrupt a live relay transaction mid-authorization.

Its Brazilian developer fingerprint emerged through code archaeology rather than any direct attribution. Early NFCMultiPay builds contained Chinese log strings consistent with leaked codebases circulating in underground repositories, suggesting the group started by adapting an existing foundation. Later variants replaced every Chinese string with functional English and Portuguese equivalents, a build-over-build progression Cleafy analysts read as deliberate sanitization of operational origins. Two active C2 addresses were documented: 185.203.116.18 and 47.253.167.219.

NFCMultiPay does not employ device locking. Without the hard-stop that traps victims inside DevilNFC’s interface, it relies on continuous social engineering through a branded UI impersonating the target institution. The trade-off works in the operators’ favor: removing the root requirement on both devices dramatically broadens the pool of potential affiliates who can deploy it, and the absence of screen locking generates fewer behavioral anomaly alerts on devices running active security software.

AI Tools Lower the Build Barrier

Both families carry fingerprints of AI-assisted development, and those indicators are not subtle. Cleafy’s researchers flagged characteristics consistent with code generated or substantially modified by large language models (LLMs) running uncensored local variants that do not refuse requests to produce functional malware components. The result is first-generation malware that arrives technically over-engineered relative to what human developers typically ship on an initial build.

In April 2026, ESET independently confirmed the pattern when it identified a new NGate variant targeting Brazilian users whose injected code carried the same AI development indicators and Brazilian Portuguese strings observed in NFCMultiPay. Two research teams, working separately on different malware families in the same quarter, reached the same conclusion. That convergence removes most of the ambiguity about what is driving the capability shift.

Specific AI indicators identified across both families include:

• Over-engineered phishing templates in DevilNFC with complex conditional branching logic well beyond what a manual first-version build typically contains
• Emoji-formatted logging structures in NFCMultiPay, a stylistic pattern strongly associated with LLM output rather than human developer conventions
• Comprehensive edge-case error handling implemented consistently across both code bases, going well beyond functional minimums for initial malware releases
• In NFCMultiPay, systematic replacement of Chinese log strings with Portuguese equivalents across multiple consecutive builds, consistent with a prompted rewriting workflow rather than manual line-by-line editing

The Attack Chain, Step by Step

Both families follow the same general attack sequence, though DevilNFC applies more coercive mechanics at each stage. The full chain, as documented in Cleafy’s full research on DevilNFC and NFCMultiPay, runs as follows for the more advanced of the two families:

1. A phishing SMS or WhatsApp message prompts the victim to install a fake banking security update, framed as a mandatory requirement from the target institution.
2. On first launch, DevilNFC activates Kiosk Mode, collapsing the system UI and disabling the hardware back button. The victim is trapped inside the fraudulent banking interface with no standard exit path.
3. A fake card verification screen, fetched live from the C2 server, instructs the victim to hold their physical payment card against the phone. The NFC reader captures contactless card data silently.
4. A follow-up verification prompt requests the victim’s four-digit card PIN, exfiltrated in plaintext to both a dedicated C2 endpoint and a private Telegram channel, alongside the bank name and victim’s IP address.
5. A deliberately displayed error message instructs the victim to hold the card for an additional 10 seconds, extending the relay window and ensuring the fraudulent transaction has time to complete at the attacker’s terminal.
6. With relayed card data and a captured PIN, the attacker’s emulator device authorizes a transaction at a contactless POS terminal or ATM. The PIN capture removes any tap-limit ceiling on the fraud amount.

What Banks and Security Teams Face Now

The PIN capture detail sits at the center of why this threat class is more dangerous than standard NFC relay. Contactless payment limits in Europe typically sit near 50 euros, capping what an attacker holding only intercepted card data can achieve at a POS terminal. With a PIN acquired through the phishing interface, those limits dissolve entirely. Both families treat PIN collection as a baseline operational requirement, not an optional enhancement. Banks assessing NFC relay exposure purely against contactless transaction ceilings are measuring the wrong risk boundary.

Detection presents compounding challenges on multiple fronts. On victim devices, DevilNFC requests only standard NFC permissions and remains behaviorally passive until a card tap occurs, staying below the alert threshold of most mobile security tools. On attacker devices, the Xposed-based hooking approach operates at the system level rather than the application layer, complicating runtime detection without dedicated kernel-level monitoring. NFCMultiPay’s rootless design removes even the rooted-device requirement, narrowing the behavioral signals available to defenders and expanding the potential affiliate pool simultaneously.

The indicators documented by Cleafy, including the C2 domains and IP addresses, give security operations teams and banking fraud platforms a concrete starting point. But DevilNFC fetches its phishing templates from the C2 at runtime, meaning the fraudulent branding rotates independently of the APK. If the next regional crew, emboldened by the same open-source tools and the same AI assistance, ships a third independent family with entirely new infrastructure and zero shared indicators before defenders finish updating signatures for this one, the detection clock resets to zero.