Russian police bust bank-account hacking gang that used NFCGate-based malware
Russian police said they have dismantled a criminal group that stole millions from bank customers using malware built on NFCGate, a legitimate open-source tool increasingly exploited by cybercriminals worldwide.
According to Russia’s Interior Ministry, police detained several suspected members of the group — including the developer and main administrator of the malicious tool — late last week. The ministry did not identify the malware variant.
Interior Ministry spokesperson Irina Volk, who announced the arrests Friday on her Telegram channel, said the tool enabled remote thefts from bank cards “across nearly all of Russia.” Preliminary losses exceed 200 million rubles (about $2.6 million).
The malicious mobile application was distributed through WhatsApp and Telegram and disguised as software from legitimate banks. Victims were first contacted by phone and persuaded to install a fraudulent banking app.
During the fake “authorization” process, they were instructed to hold their bank card to the back of their smartphone and enter their PIN — a step that allowed attackers to harvest card credentials and withdraw funds from ATMs anywhere in the country without the cardholder’s involvement.
Investigators are still working to identify the full network behind the scheme, Volk said.
NFCGate, designed to relay NFC data between nearby devices, has become a favored tool for financial-theft malware because it allows attackers to emulate victims’ cards. Its misuse has escalated in recent years, with researchers documenting increasingly sophisticated variants in and beyond Russia.
Earlier this year, a Russian cybersecurity firm reported the country’s first data-stealing attacks using a modified version of NFCGate dubbed SuperCard, which was also deployed against bank customers in Italy.
According to Russian security company F6, at least 1.6 billion rubles (roughly $18 million) had been stolen from Russian customers by the end of 2025 using various NFCGate-based malware strains.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.