Attacks on mobile payment applications (M-Pesa, CashApp, Paytm)

[Good Carder]

From carder to carders. In 2027, classic carding with hit CVV and address verification is slowly but surely dying. Europe is strangled by 3DS, the US is tightening the screws with AVS and BIN filtering, and Asian banks are switching to chip and biometrics. But the real pros aren't crying — they've simply changed their target. They've gone where the money flows, and security still relies on trust and a little luck. Mobile payment apps.

*In this article, I'll examine the three main attack targets of 2027: African giant M-Pesa, American favorite CashApp, and Indian veteran Paytm (Paytm Payments Bank). You'll learn about SIM swapping, social engineering, UPI vulnerabilities, NFC relay, and, of course, where to find drops and how to quickly withdraw money. I'll tell you what's happening in practice.

Part 1. M-Pesa (Kenya, Tanzania): The King of Mobile Money and Its Weaknesses​

M-Pesa is a USSD-based mobile wallet that works on any phone, even those without a smartphone. It processes 138 million transactions daily, making it a financial engine for millions of Africans. However, its security still relies on three pillars: a secret PIN, SMS transaction confirmation, and the hope that no one will learn the answers to security questions.

1.1 SIM swapping — a classic that still works​

In April 2024, my father became the victim of a SIM swap, but with a twist. A relative working for the operator took his SIM card and, through a friend at Safaricom, gained unauthorized access. In 2026–2027, corruption in telecom companies remains a key attack vector, as insiders, either for money or through connections, reissue the victim's SIM card. The victim's phone loses network coverage, while the SIM carder gains access to the phone number and all SMS messages, including one-time passwords.

Here's how:

• Find an employee in a major telecom market or find an insider within a telecom company through recruitment forums. In 2025–2026, darknet forums offered access to subscriber databases starting at $500 per entry.
• Obtaining a SIM card (often requires a photocopy of your passport and cash payment). In Kenya, Safaricom and Airtel are trying to combat this, but authentication rates are still low.
• On behalf of the victim, log into M-Pesa using a standard USSD code and transfer funds to a pre-arranged drop account, then to a crypto wallet. The maximum transfer limit is 250,000 Kenyan shillings (~$2,000) per day through an agent.

1.2. Social engineering through notification forgery​

The most common and simple method is to simply deceive the victim.

When you transfer money, M-Pesa sends an SMS notification with the sender's phone number (e.g., 0722XXXXXX). In March 2026, Safaricom implemented partial number masking, but many victims still click on dubious links. The carder can copy the number from the SMS and later call, posing as a customer service representative: "Hello, we've recorded a suspicious transaction to your account. Please provide your PIN to cancel it." If the victim provides the PIN, the carder can transfer the money via USSD code. This tactic is so widespread that 46% of Kenyan consumers reported receiving fraudulent calls, text messages, or online messages.

1.3. Agent clones and "magical" means​

Physical M-Pesa terminals (kiosks where you can deposit and withdraw money) are another weak point. A rogue agent could install a cloned device in their garage, impersonating a legitimate terminal.

In practice, an attack on an M-Pesa terminal looks like this:

• Infiltration. A carder, posing as a client looking to exchange currency, initiates a conversation with an agent and distracts them for a while.
• Chemical exposure. A distracting conversation is accompanied by the release of a colorless, odorless aerosol that disrupts the worker's attention. In this state, the victim transfers money without realizing it.
• Disappearance. The carders leave, and a few minutes later, the employee discovers that over 40,000 Kenyan shillings (~$300) have been debited from the account. Several carders in Kenya have already suffered from this method in Mombasa, Nairobi, and Eldoret.

Carder's takeaway: SIM swapping is still effective if you have access to a telecom insider. Social engineering via fake SMS and phone calls is the easiest way to cash out. Physically attacking an M-Pesa agent is dangerous, but it's suitable for carders with a local presence in Kenya.

Withdrawal scheme: M-Pesa → front man's bank account → crypto wallet without KYC. Use front men in Nairobi, who, for a 20-30% commission, will cash out funds on the spot and transfer them to USDT via P2P.

Trends 2027: Safaricom is implementing number masking in notifications, but even so, many gullible users still fall for the scam. SIM swapping is becoming more expensive, but remains a viable tool.

1.4. M-Pesa attack protection​

To enhance M-Pesa security, the following measures have been implemented:

• Phone Number Masking. Since March 24, 2026, M-Pesa has introduced partial masking of sender numbers in notifications (example: 0722*000** instead of the full number) to prevent carders from harvesting numbers for spam and phishing.
• Verification service. Clients can forward a suspicious SMS notification to the short number 334 to verify the payment's legitimacy in the system. The service returns confirmation of the transaction's validity.
• Enhanced authentication for large amounts. For transfers exceeding the established limit, the system may request an additional PIN or limit the number of transactions per day.

Part 2. CashApp (USA): A Peer-to-Peer Wallet Without Buyer Protection​

CashApp is an American P2P service owned by Block (formerly Square). With 57 million monthly active users and estimated annual fraud losses in the hundreds of millions of dollars, it's an ideal target for carders. In 2026, CashApp remains one of the most popular services in the US, but its security is increasingly questionable.

2.1. Features: instantaneity and irrevocability​

CashApp's main vulnerability is its instant and, as a rule, irreversible payments. When you send money, it arrives in the recipient's account in real time. Once the recipient withdraws it to their bank account or cash, it's virtually impossible to recover the funds.

The refund process through customer support is lengthy, and the automatic protection system is too passive.

2.2. Account Takeover Attack​

The simplest and most effective method: hacking an account through engineering.

In 2025, carders learned to use mass brute-force attacks using stolen loginassword databases. If a user uses the same password on multiple websites, hackers can easily log into their CashApp account, change the password, transfer funds to a controlled drop account, and instantly withdraw them. Without two-factor authentication, the chances of success are 70-80%.

Version 2.0 with SIM card swapping: If the account is protected by 2FA via SMS, carders resort to SIM swapping (an already proven scheme involving an insider in telecoms). Having gained access to the victim's phone number, they reset the password, log in to the account, and withdraw the funds.

2.3. Mass money farming through mules​

Carders find naive people (often students) in the US or UK and promise them an "easy commission" for "helping them cash out crypto."

The scheme is simple:

1. You agree with the drop on a commission (usually 20%).
2. Gain access to the victim's stolen CashApp account.
3. Transfer funds to the drop account.
4. The drop withdraws them to their bank card and transfers cryptocurrency (USDT, XMR) to you. They deduct the commission from the transfer.

By 2026, CashApp had tightened sanctions against such schemes: it blocked withdrawals from accounts with suspicious turnover and required verification for transfers over $2,000 per day. However, small transactions go unnoticed.

2.4. A Real Case: How One Veteran Lost $5,902​

In December 2025, a veteran from Chicago noticed debits of 1 in CashApp that hadn't caught his attention. Kutru had 5,902 debits. CashApp confirmed the account had been hacked, but Navy Federal Credit Union rejected the refund, citing "no error." Only after media intervention was the case reconsidered.

Takeaway for carders: withdraw funds within a few minutes after a CashApp account is hacked. The longer you keep funds in the account, the higher the chance the victim will notice the loss and block the card. Use temporary drop accounts with minimal history. Avoid long periods of interruption — CashApp blocks accounts if it suspects an anomaly.

2.5. Technical Vulnerabilities: Fake Overlays and Reverse Engineering​

While CashApp encrypts data at rest and in transit, carders don't crack the cryptography — they attack the user.

• Overlay: The carder creates an app that displays a fake password entry window over the CashApp interface. The victim enters data into the fake window, and it is sent to the carder's server. This is most common with Android Trojans such as Anatsa and Vultur.
• Social engineering in messaging apps: The victim receives a message from "CashApp support" asking them to confirm their account by clicking a link. The link leads to a fake website that mimics the real one. The victim enters their credentials, and the carder gains access.

2.6 Legislative Protection: CFPB and Precedents​

Thanks to the CFPB (Consumer Financial Protection Bureau), CashApp was ordered to pay $175 million for weak fraud protocols and inadequate user support. According to the law, if a victim reports a hack within 48 hours, the maximum loss is $50 ; after that, the threshold increases to $500. Proving a hack and receiving compensation is very difficult in practice: the vast majority of claims (according to internal data) are still rejected.

2.7. Protection against CashApp attacks​

• Secure Protocols: CashApp supports 256-bit encryption and is PCI DSS Level 1 compliant.
• Multi-factor authentication: It is recommended to use biometric lock (Face ID/Touch ID).
• Regulatory changes: Since February 2026, CashApp has been notifying users of potential risks, but the legal practice of refunding funds remains complex.

Part 3. Paytm Payments Bank (India): UPI, License, and Collapse​

Paytm was once a leading pioneer of digital payments in India. By 2027, a turning point had arrived. On April 24, 2026, the RBI (Reserve Bank of India) revoked the banking license of Paytm Payments Bank (PPBL). The company had failed to align its operations with regulatory requirements and risks: most of its share capital was concentrated in related parties, and audits revealed that customers were transferring money through virtual accounts, circumventing existing regulations.

For carders, this means that UPI security is now a matter of uncertainty, and the regulator dealt a powerful blow to the entire ecosystem.

3.1. UPI Vulnerabilities: SIM Linking vs. "Digital Lutera"​

UPI's primary security mechanism is SIM binding. The system verifies the phone's IMEI and the SIM card's ICCID to identify the device. The idea is that one phone number is one device, and if you try to register on someone else's phone, the system should reject it.

But the "Digital Lutera" attack bypasses this protection. This technology, distributed through Telegram channels (with at least 20 active groups with over 100 members), allows manipulation of Android system functions at the firmware level. The victim installs a fake APK (disguised as a speeding ticket or wedding invitation), which intercepts SMS messages containing one-time passwords. Using a special Android Framework tool, the carder replaces the phone's identifier with their own and activates someone else's UPI account on a completely new device, even if the original SIM card is still in the victim's phone. During tests, one group processed transactions worth ₹25–30 lakh (~$30,000–36,000) in just two days.

3.2 RBI Regulatory Sanctions and PPBL Closure​

Paytm Payments Bank's banking license has been revoked, changing the threat landscape:

• PPBL is unable to accept new deposits or conduct most banking transactions. While the Paytm app continues to function (UPI, QR codes, gateways), cash withdrawals have become riskier.
• Tighter controls by the RBI and other partner banks have led to more frequent blocking of suspicious transfers and the requirement for additional verification.

3.3. Major Data Leaks and Internal Access​

Unlike M-Pesa and CashApp, Paytm Payments Bank has been thoroughly scrutinized. Its vast customer base has long since leaked to shadow markets. If you have access to a customer's full data (name, passport, address, account number), you could attempt to forge documents and register a new payment instrument in their name.

3.4. Cash withdrawal schemes through Paytm​

• Traditional UPI transfer to a drop account: transfer funds via UPI to a dummy account, which then converts them into cryptocurrency. Difficulty: High risk of AML detection.
• Creating fake Paytm accounts for withdrawals: register a fake business account using stolen credentials, accept money from victims as "payment for services," and withdraw it to fake cards.
• Exploiting a vulnerability in QR code payments: Pay for purchases in stores from fake Paytm accounts using a generated dynamic QR code.

3.5. Paytm and UPI attack protection​

Although PPBL's license has been revoked, the UPI protocol itself remains operational, and carders are actively searching for new vulnerabilities. Key security recommendations:

• Limit the use of Paytm for large transactions and withdrawals as regulatory risks are high.
• Monitor security updates from NPCI (National Payments Corporation of India), the UPI development center, which may strengthen SIM linking and other security measures.

Part 4. Mobile Banking Trojans: A Versatile Weapon​

Anatsa, Vultur, Massiv, TrickMo, TsarBot — this malware indiscriminately steals money from M-Pesa, CashApp, and Paytm. Their number is growing rapidly, and with it the risks. In 2025, Zimperium tracked 34 active malware families targeting 1,243 financial institutions in 90 countries. Transactions initiated by Android malware increased by 67% year-on-year.

4.1. Anatsa – the King of Banking Trojans​

Anatsa (also known as TeaBot) is one of the most dangerous and widespread banking malware for Android. It infiltrates devices via downloaders (droppers) on Google Play, disguising itself as PDF readers and document readers. In April 2026, a reader app with over 10,000 installs downloaded Anatsa after receiving accessibility permissions.

Once installed, the malware requests permissions for Android accessibility services. If the user agrees, Anatsa gains full control of the device: it takes screenshots, intercepts keyboard input, reads one-time SMS codes, and replaces banking app screens. Using fake overlays, it can trick victims into providing logins, passwords, and even PINs, after which it initiates transfers to drop accounts.

4.2. Ghost Tapped – NFC Relay for POS Terminals​

This Trojan turns the victim's phone into a payment relay using NFC. First, the victim is convinced to install a fake banking app that requests NFC permission. The victim's phone is then held up to a reader, which begins relaying card data to a terminal in a store. From November 2024 to August 2025, a single POS terminal processed $355,000 in illegal transactions. There are over 54 known variants of Ghost Tapped, and several Telegram channels are actively selling this tool. Thousands of devices worldwide have been infected, and police have already made arrests in the US, Singapore, the Czech Republic, and Malaysia.

4.3. Vultur, Massiv, TrickMo, and others​

• Vultur: New versions intercept calls, remotely control phones, and block uninstall attempts. It's distributed through over 800 apps on Google Play.
• Massiv: Disguises itself as IPTV applications, attacks Portuguese and Greek applications, and is capable of remote device control and screen hijacking for banking transactions.
• TrickMo: A reworked variant (discovered January–February 2026) with an improved mechanism for taking control of a device.

4.4 Distribution via Google Play​

All of these Trojans actively infiltrate official app stores via downloaders that imitate legitimate software. They bypass moderation by activating malicious features only after downloading additional components from their own servers. To protect against such attacks, you need to:

• Carefully check the permissions requested by applications and install applications only from trusted sources.
• Use antivirus software with the function of detecting banking Trojans.
• Update your operating system and applications regularly.

4.5. Consequences for us​

Mobile Trojans are no longer lab experiments, but a global industry with clear business models. They are scalable: Trojans target hundreds of apps, automate the theft of passwords and codes, and provide remote control over devices. Even the average carder can purchase a ready-made Trojan on shadow forums for $500–$2,000, receiving a dashboard for managing infected devices and withdrawing funds. Telegram channels are already selling such tools.

However, the main problem for carders is cashing out. If a Trojan infects a device in Kenya (M-Pesa), a local bank account or a drop is needed. CashApp requires a US drop. The more complex the region, the more expensive the service (20–40% of the total). Paytm requires Indian mules who withdraw cash from ATMs. But malware itself is almost useless without human infrastructure. So first build a network of drops, and then buy Trojans.

Part 5. OPSEC Checklist for Attacks on Mobile Payment Apps​

Before the attack:

• Learn regional specifics. M-Pesa requires drops in Kenya, CashApp in the US, and Paytm in India. Drops to the US are more expensive, but transfer limits are higher.
• Find a telecom insider. SIM swapping through an insider is the most reliable way to hack M-Pesa and CashApp.
• Buy a ready-made Trojan or find a dropper. Anatsa, Vultur, and Ghost Tapped are available on darknet forums. Don't just grab the first one you see — go for one that's open source and guaranteed.
• Prepare drop accounts. For M-Pesa, use an Equity or KCB bank account. For CashApp, use a pool of accounts with minimal history. For Paytm, use a pre-existing account with verified UPI.
• Use a VPN or proxy. For Kenyan transactions, you'll need a Kenyan IP (e.g., Safaricom's mobile proxy). For US transactions, use a US residential proxy. For Indian transactions, use an Indian IP.

During the attack:

• Act quickly. After gaining access to your M-Pesa account, withdraw funds within 5-10 minutes. After a CashApp hack, withdraw funds within 2-3 minutes.
• Split amounts. One M-Pesa transaction – up to 250,000 Kenyan shillings (~2,000). One CashApp transfer – up to 2,000. One UPI transfer – up to ₹1,00,000 (~$1,200). If you need more, use multiple drops.
• Use a crypto intermediary. Transfer funds through a KYC-free crypto wallet (Monero, USDT on Trust Wallet), then to a P2P platform. This breaks the chain.
• Don't reveal too much. Don't save screenshots or post results in public chats.

After the attack:

• Wipe away traces. Remove the Trojan from the victim's phone (if used), clear the logs.
• Change your IP and proxy. Don't use the same infrastructure for the next attack.
• Cash out your crypto. Use P2P platforms (LocalMonero, AgoraDesk, NoOnes) with sellers who don't require KYC.
• Hide the droppers. If a dropper suspects something is wrong, burn the account and find a new one.

Summary​

M-Pesa, CashApp, and Paytm (Paytm Payments Bank) in 2027 are three giants of the payments industry, each with a huge user base, but each has its own vulnerabilities. SIM swapping, phishing, social engineering, UPI vulnerabilities, Trojans like Anatsa, Ghost Tapped, Vultur, Massiv, and TrickMo, and outright regulatory issues — this is the battlefield for the modern carder.

Traditional carding is becoming a thing of the past, and mobile apps are becoming the new target. But a successful attack requires more than just Trojans — it requires a drop infrastructure, geolocation, fast cashout, and strict OPSEC. A SIM swap error or an incorrectly chosen proxy country — and the attack will fail.

Attacks on mobile payment apps are a multi-billion-dollar business, and those who master it now will dominate in the coming years. But remember: in 2027, regulators are also watching. Laws are getting stricter, licenses are being revoked. Choose your target, observe OPSEC, and don't forget about money mules.

A quick one-line reminder:
"M-Pesa rules SIM swaps and SMS phishing, CashApp – lightning-fast withdrawals via money mules, Paytm lost its license, but UPI is still alive. Mobile Trojans (Anatsa, Vultur, Massiv, TrickMo) steal logins and codes, Ghost Tapped relays NFC for payments at the register. But without money mules and local cash-out machines, even the best Trojan is useless. In 2027, the hunt shifts to mobile phones – either you attack the app, or the money attacks you."