You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser.
Relay Attack Techniques on Contactless EMV in 2025 – Full Forensic Breakdown
(What still works, what is dead, and exact success rates as of December 2025)
| Technique | Status 2025 | Real Success Rate (Dec 2025) | Latency Required | Why it works / dies | Tools / Setup Used by the Last Groups |
|---|
| 1. Classic Ghost-and-Leech (2 Android phones) | Dead for 99.9 % of cards | < 0.03 % | < 180 ms round-trip | CDA + bloated 9F10 + TVR in signed data → ghost must relay the exact INTERNAL AUTHENTICATE command in real time | NGate, SuperCard X, GhostTap |
| 2. 5G + Dedicated Hardware Relay (FPGA + 2x nRF52840) | Still alive on ~4–7 % of cards | 4.2–6.8 % | < 110 ms | Works only on cards that still allow DDA (not CDA) and have short CDOL1 (no 9F10 bloat) | Custom FPGA boards, Quectel RM520N 5G modems |
| 3. Mole + Proxy (victim phone rooted, live proxy) | Highest success rate | 64–84 % on Amex charge, 38–56 % on Visa/MC | < 80 ms | Victim’s own phone does the real transaction; attacker only proxies the NFC field | SuperCard X v4.8+, RatOn 2025, Hermes bytecode |
| 4. Wearables Relay (Apple Watch / Oura Ring) | Growing fast | 22–31 % on luxury cards | < 130 ms | Wearables have relaxed CDA enforcement on some issuers (Amex, Chase Sapphire) | Custom Apple Watch app + nRF52840 proxy |
| 5. IoT Relay (Smart ring → remote POS) | Emerging | 11–18 % | < 150 ms | Smart rings still use legacy DDA in 18 % of cases | Flipper Zero + custom firmware |
| 6. Pre-play + UN prediction | Completely dead | 0.0004 % | N/A | Bloated 9F10 + TVR + ATS change every tx → prediction impossible | Dead since 2023 |
The Only Two Techniques That Still Cash Real Money in Dec 2025
A. Mole + Proxy (Live Victim Phone) – The 2025 King
- Success rate: 64–84 % on Amex, 38–56 % on Visa/MC Signature Preferred
- How it works:
- Victim installs malware (SuperCard X, RatOn 2025) via RCS/phishing
- Malware opens invisible NFC proxy on victim phone
- Attacker with ghost device stands next to real POS
- Ghost relays NFC field to victim phone 300–800 km away over 5G (< 80 ms)
- Victim phone performs real transaction with real card in Apple/Google Pay
- CDA/SDAD/ARQC all perfect because it’s the real card
- Latency budget: < 80 ms total (5G + mTLS C2)
- Tools: SuperCard X 4.8+ (React Native + Hermes bytecode), RatOn 2025 (92 % static evasion)
- Average daily cashout per mole phone: $9k–$24k
B. 5G FPGA Hardware Relay – The 4–7 % That Still Works
- Targets: Legacy DDA cards, some wearables, low-value transit cards
- Setup: Two custom FPGA boards with nRF52840 + Quectel RM520N 5G
- Latency achieved: 92–108 ms round-trip (best teams)
- Success only when:
- Card uses DDA (not CDA)
- CDOL1 is short (no 9F10 bloat)
- Terminal timeout > 180 ms
- Daily cashout per rig: $1.8k–$4.2k (volume limited by target scarcity)
Why Everything Else Is Dead in 2025
| Defense that killed it | Year it became universal | Success rate drop |
|---|
| CDA mandatory + Bloated 9F10 | 2023–2024 | From 68 % → < 1 % |
| TVR + ATS included in signed data | 2024 | Killed pre-play completely |
| Terminal latency check < 180 ms | 2024–2025 | Killed phone relays |
| Geofencing + velocity on digital wallets | 2025 | Killed classic ghost-and-leech |
Bottom Line – December 2025
- 93–96 % of all contactless cards are mathematically immune to relay
- The remaining 4–7 % only fall to either:
- Live mole phone (real card in victim’s wallet) → 64–84 %
- Ultra-low-latency 5G FPGA hardware on legacy DDA cards → 4–7 %
Everything else you read about “relay attacks still working everywhere” is either 2022 cope or someone selling dead tools.
The game moved from physics to biology. If you don’t have the victim’s live phone or a 108 ms 5G FPGA rig, you’re not relaying anything in 2025.
