
In Tennessee and California, Chinese nationals have been arrested on suspicion of orchestrating a new contactless fraud scheme involving mobile wallets. Authorities report that the wallets were created via online phishing campaigns, and transactions were carried out using a specialized Android application capable of transmitting signals from devices located in China.
In Knoxville, police apprehended eleven individuals who had been purchasing gift cards worth tens of thousands of dollars from local retailers. All transactions were executed through mobile wallets linked to stolen banking credentials. The Knox County Sheriff’s Office stated that these arrests mark the first of their kind in the United States involving this method of fraud.
According to Deputy Bernie Lyon, the suspects had been traveling across the country, making repeated purchases with various compromised cards. During the raid, officers seized more than $23,000 in gift cards, all purchased using stolen financial data from unsuspecting victims. Lyon also confirmed that “the perpetrators used Android devices to perform transactions via Apple Pay” using compromised or stolen cards.
The precise workings of the scheme remain undisclosed, as the investigation is ongoing. However, cybersecurity experts have noted the rarity of such cases, as Android devices typically do not interface with Apple Pay unless modified with custom software. A particular application named Z-NFC had previously been mentioned in reports linked to Chinese phishing syndicates involved in carding operations.
The scheme begins with phishing messages, often masquerading as notifications from postal services or toll authorities, requesting minor payments. These messages are delivered not via standard SMS, but through iMessage and RCS—channels that help evade telecom filters. Once victims input their card details, the fraudsters immediately initiate a request to bind the card to a new mobile wallet. The bank then sends a one-time passcode, and if the victim enters it, the card falls fully under the attackers’ control.
Each device can host between five to ten such wallets. These phones are then sold in bulk via Telegram. Experts have confirmed the existence of the Z-NFC Android app, which enables remote emulation of payment transactions: the user simply brings the phone near a terminal, and the app relays the signal to a device in China, where the actual data transfer takes place. The software is marketed at $500 per month and includes 24/7 technical support.
On March 16, ABC10 reported a similar incident in Sacramento, where two Chinese nationals attempted to use the app to purchase gift cards at Target, cycling through more than 80 stolen cards. Despite the majority of transactions being declined, they managed to buy $1,400 worth of gift cards. Upon arrest, they admitted to earning $250 per day for these operations.
CBS News added that one individual had tried to use 42 cards—32 were declined, but he still managed to spend $855. His accomplice tested 48 cards, of which 11 succeeded, allowing him to make an additional $633 in purchases.
Experts believe the high failure rate of transactions may be attributed to banks becoming more adept at detecting such schemes or the cards already being flagged as suspicious. In some instances, these “operators” are simply dispatched into the field to test which cards remain active.
Recruitment for such roles is widespread on social media platforms, including TikTok. In Telegram channels linked to phishing operations, the process is run manually: real-time operators manage phishing websites while mass messages are distributed. These groups often use racks stacked with dozens of iPhones and Android devices to simultaneously send messages and process responses. This setup ensures they can promptly capture and utilize one-time codes—whose validity often lasts only a few fleeting minutes.