As the Philippines rapidly embraces digital wallets and contactless payment systems, it is facing a parallel rise in sophisticated cybercrime—particularly from China-based actors exploiting Near Field Communication (NFC) technologies. According to threat intelligence firm Resecurity®, the country has become a major hotspot for cybercriminals using cloned card data, NFC-enabled point-of-sale (POS) terminals, and Telegram bots to commit large-scale fraud.
TransUnion Philippines reported that the suspected digital fraud rate in the country reached 13.4% in 2024, which is 148% higher than the global average of 5.4%. Approximately 74% of Filipinos have reported being targeted by fraud attempts, with victims who suffered financial losses losing an average of 44,700 Philippine pesos (PHP).
While consumer losses are concerning, the bigger threat lies in the systemic risk posed to businesses and the overall digital economy, as some fraud operations are causing millions of pesos in damages through identity theft, fake merchant setups, and laundering schemes.
Telegram Bots, Smishing Kits, and Dark Web Markets Fuel Fraud Ecosystem
Resecurity’s investigations found that Chinese-speaking cybercriminals are managing numerous Telegram bots and underground credit card shops, many of which list Filipino credit cards and mobile wallet accounts. Bots like “Lita’s Shop” and “Panda Shop” offer automated access to stolen data and fraud services, functioning through both the surface web and the Dark Web.
These bots allow users to:
- Search compromised card data by country and issuing bank
- Perform micro-transactions to test card validity
- Purchase credentials for use in fraudulent POS transactions or e-wallet logins
One Telegram shop was found to have over 7,741 compromised Philippine-issued cards for sale. Another underground forum had 5,869 listings at the time of reporting. Many of these tools originated from groups like the Smishing Triad, which operates a Crime-as-a-Service model that enables other cybercriminals to scale smishing and NFC fraud globally.
Additionally, Resecurity observed increased collaboration between Chinese hackers and local organized crime in the Philippines to recruit money mules, who open digital accounts used for laundering stolen funds.
GCash, Maya, and Local POS Systems in the Crosshairs
Digital payment platforms like GCash, Maya (formerly PayMaya), and GoTyme have been identified as primary targets. These services offer NFC-enabled payment cards and tap-to-pay features, making them attractive to criminals exploiting Host Card Emulation (HCE) techniques.
Using tools like Z-NFC, SuperCard X, and Track2NFC, attackers can:
- Clone card data
- Emulate legitimate payment behavior
- Conduct low-value, PIN-less transactions to avoid detection
Job Portal Turned Data Trap: 248,725 Records from Brazil’s CIEE Leaked by Hacker ‘888’
Resecurity also flagged POS terminals as a major laundering vehicle. Terminals—often registered under fake businesses or with eSIM capabilities—are deployed in restaurants and retail outlets to simulate legitimate transactions. Some are capable of processing up to $80,000 per day in fraudulent payments.
These POS devices are often pre-configured with malicious software and distributed to accomplices in the Philippines who act as insiders, enabling theft and laundering to proceed undetected within normal transaction flows.
Recommendations to Combat NFC and E-Wallet Fraud
To counteract this growing threat, Resecurity and local experts urge regulators, financial institutions, and service providers to implement stronger safeguards:
- Merchant Onboarding: Enforce strict identity verification, geolocation checks, and risk profiling for businesses registering for POS terminals.
- Behavioral Analytics: Use AI and machine learning to detect transaction anomalies, such as repeated micro-payments or region-specific spending spikes.
- Public-Private Intelligence Sharing: Establish deeper coordination between the Bangko Sentral ng Pilipinas (BSP), Cybercrime Investigation and Coordinating Center (CICC), and digital wallet providers.
- Dark Web Monitoring: Deploy threat intelligence tools to track chatter about Philippine card data and compromised merchants.
- Consumer Education: Raise awareness about secure NFC practices, phishing traps, and the risks of linking wallets to unsecured apps or networks.
Resecurity continues to support the region by providing real-time threat detection, dark web insights, and tailored advisory services to financial institutions and government stakeholders.
As cybercriminals evolve their techniques, the Philippines must respond with intelligence-driven security across its financial infrastructure. With digital wallets and NFC payments becoming mainstream, urgent steps are needed to reinforce trust in these systems. The rise of Chinese cybercrime in Southeast Asia highlights the geopolitical dimension of digital fraud—making cybersecurity not just a technical issue, but a national priority.