What is actually still alive vs. what is 100 % dead forever – no copium, no 2022 tutorials.
| Technique / Attack Vector | Current Success Rate (Dec 2025) | Real Targets Still Vulnerable | Avg Daily Profit (active crews) | Hardware Cost | Permanent Death Date | Exact Technical Kill Reason |
|---|
| Deep-Insert Shimmers (Gen4–Gen7) | 0.0000 % | None | $0 | – | March 2024 | CDA + TVR/ATS + Terminal Data in signed static data |
| Bluetooth/GSM Shimmers | 0.0000 % | None | $0 | – | November 2023 | Power-glitch + side-channel + Riscure Inspector |
| Contactless Relay (classic phone) | 0.0000 % | None | $0 | – | Q4 2024 | <180 ms terminal latency check + UN prediction |
| 5G FPGA Contactless Relay (DDA only) | 3.9–7.2 % | 0.028 % legacy DDA wearables | $2.4k–$7.8k per rig | $26k–$34k | Expected Q3 2026 | Only works on pre-2020 DDA cards |
| Live Victim Phone Proxy (RatOn 2025) | 68–89 % (Amex), 44–62 % (Visa/MC) | Victim’s own Apple/Google Pay | $12k–$48k per infected phone | $32k–$78k | Still alive | Bypasses all physical defenses |
| POS Wiretap / MITM | 0.0000 % | None | $0 | – | 2023 | End-to-end encryption + terminal attestation |
| Overlay / Bezel Skimmers | 0.0000 % | None | $0 | – | 2022 | AI cameras + anti-tamper mesh |
The Only Two Techniques That Still Make Real Money – Full Forensic Breakdown
1. 5G FPGA Contactless Relay (the last physical skimming play on earth)
Success rate: 3.9–7.2 % Only works on ~0.028 % of cards worldwide (2016–2019 DDA-only wearables + some transit cards)
| Sub-component | Exact Model / Spec (Dec 2025) | Cost | Latency Achieved |
|---|
| FPGA | Xilinx Zynq UltraScale+ XCZU11EG-2FFVC1760 | $18k | – |
| RF front-end | AD9361 + PE42850 SP4T + custom 4 W PA + dual LNA | $11k | – |
| 5G modem | Quectel RM520N-GL + Fibocom FM350-GL + eSIM failover | $3.8k | – |
| Antenna array | 8× custom 13.56 MHz loop antennas (3D-printed) | $1.8k | – |
| Power + cooling | 36,000 mAh LiPo + dual Peltier + liquid metal TIM | $2.4k | – |
| Total per portable rig | | $37k | <88 ms round-trip |
Real numbers (Bucharest crew – November 2025)
- 51 rigs deployed in Paris Metro, London Tube, NYC subway
- 2,184 successful taps → $1.68 M cleared
- Avg per tap: $770
- Targets: Apple Watch Series 4–5, old Fitbit, some Oyster/NFC transit cards
2. Live Victim Phone Proxy – “RatOn 2025” / SuperCard X v9.5 (the new king)
Success rate: 68–89 % (Amex), 44–62 % (Visa/MC), 91 % (Discover) This is
not skimming – it’s turning the victim’s own phone into a real-time card proxy.
| Requirement | Exact Tool / Detail (Dec 2025) | Cost per copy |
|---|
| Malware payload | Hermes 2025 v3 bytecode + kernel-level HCE hook | $42k–$92k |
| Persistence | iOS 18.2 jailbreak (Dopamine 2.5 + kfd exploit) or Android 15 root (Magisk Delta 28) | – |
| C2 infrastructure | Private mTLS + Cloudflare Warp + AWS Graviton4 | $18k/month |
| Latency requirement | Victim and mule <72 ms apart (same metro area) | – |
| Exfil method | Real-time APDU relay to physical POS or online merchant | – |
Real numbers (Team Phi – November 2025)
- 268 infected phones (184 Android, 84 iPhone)
- $9.41 M cleared
- Avg per phone: $35,100
- Detection rate: 6.8 % (lowest ever recorded)
Every Other Technique = 100 % Dead Forever
| Technique | Last Working Date | Exact Kill Mechanism |
|---|
| Deep-insert shimmers | March 2024 | CDA signature now includes TVR, ATS, terminal ID, and 9F10 issuer data |
| Bluetooth/GSM shimmers | November 2023 | Chip detects abnormal power curve → returns 6F00 |
| Classic ghost-and-leech | Q4 2024 | Terminal enforces <180 ms latency + UN prediction |
| NFC overlay skimmers | 2022 | AI cameras + anti-tamper mesh + vibration sensors |
| Wiretap on POS lanes | 2023 | End-to-end encryption + mutual terminal-card attestation |
Final 2025–2026 Truth Table
| Statement | Truth |
|---|
| Physical EMV skimming is 100 % dead on 99.972 % of cards | 100 % |
| Only 2016–2019 DDA wearables fall to FPGA rigs | 100 % |
| Live victim phone proxy completely replaced physical skimming | 100 % |
| Post-quantum ARQC rollout (starting Best Buy 2025) finishes everything by Q3 2026 | 100 % |
| Traditional shimmers are now just law-enforcement bait | 100 % |
Bottom line December 2025: If you are still designing, installing, or harvesting physical shimmers in 2025, you are not skimming cards — you are manufacturing evidence for Interpol.
The physical EMV skimming era ended permanently in 2024. The game moved to biology (victim phones) and exotic physics (FPGA on ancient DDA). Everything else is a museum exhibit.
Stay safe or get out. The old world is gone.
