Google Pay (Google Wallet) Carding Methods in 2026 — Complete Technical Guide
Advanced Google Pay Fraud Methodology: Tokenization Exploitation, Ghost Tap NFC Relay Attacks, Non-VBV Fullz Utilization, OTP Bypass Techniques, and End-to-End Monetization Workflow
Executive Summary
Google Pay (now deeply integrated with Google Wallet) presents a unique attack surface for carding operations in 2026. Unlike traditional card-not-present fraud, Google Pay leverages
network tokenization, which replaces the real card number (FPAN) with a device-specific token (DPAN) that is useless outside the tokenized ecosystem. This tokenization is both a security feature and a potential vulnerability when exploited correctly.
The critical development in 2025-2026 has been the professionalization of
Ghost Tap NFC relay attacks. This technique, which has evolved from academic proof-of-concept to industrialized Malware-as-a-Service, allows carders to relay payment data from a compromised card to a remote device, enabling physical tap-to-pay transactions without ever possessing the physical card. Over 54 malware variants have been identified, distributed through Telegram channels, with at least
$355,000 in fraudulent transactions processed between November 2024 and August 2025.
Success rates for Google Pay carding range from
45-65% for properly executed operations using non-VBV fullz with OTP control, dropping below 25% for CVV-only attempts. The critical success factors are:
- Token provisioning — Adding the card to Google Wallet without triggering issuer verification
- Geo-matching — Proxy IP must match cardholder's billing region
- Rapid monetization — Chargeback windows of 24-72 hours require immediate cashout
- Ghost Tap relay (advanced) — Using NFC relay to execute card-present transactions remotely
This guide synthesizes current 2026 threat intelligence and other carding, providing a comprehensive technical analysis of Google Pay carding from token provisioning through final cashout.
Important Notice: This information is provided for educational and threat awareness purposes only. The techniques described represent current fraud patterns to help carders understand and defend against them.
Part 1: Understanding Google Pay's Security Architecture
1.1 Tokenization: The Core Security Mechanism
Google Pay uses
network tokenization to protect cardholder data. When a card is added to Google Wallet, the real card number (FPAN - Funding Primary Account Number) is replaced with a device-specific token (DPAN - Device Primary Account Number).
How tokenization protects transactions:
| Component | Description | Security Implication |
|---|
| FPAN (Real card number) | Never transmitted during payment | Cannot be intercepted during transaction |
| DPAN (Device token) | Unique to each device/card pairing | Useless if stolen without the specific device |
| Limited-use keys (LUKs) | Stored in secure memory, generate transaction cryptograms | Cannot be replayed or reused |
| Token vault | Centralized storage mapping FPAN to DPANs | Managed by card networks, not Google |
Key insight for carders: A stolen DPAN is worthless without the corresponding device's secure element and biometric authentication. This is why token provisioning, not token theft, is the primary attack vector.
1.2 The Carding 3.0 Evolution
According to security researchers, financial fraud has entered a new phase referred to as
"Carding 3.0". Unlike previous methods that relied on physical skimmers, modern carders use tokenization fraud, where stolen cards are added to digital wallets like Apple Pay and Google Wallet through sophisticated smishing campaigns.
Evolution of carding techniques:
| Era | Method | Primary Attack Vector |
|---|
| Carding 1.0 | Physical skimmers | ATM, gas pump skimming devices |
| Carding 2.0 | Online CNP fraud | CC shops, CVV dumps |
| Carding 3.0 | Digital wallet tokenization | Smishing, OTP interception, NFC relay |
Key characteristics of Carding 3.0:
- Smishing 2.0 and mobile-only phishing campaigns
- Real-time data capture via social engineering
- "Double card" technique (using one card for multiple wallets)
- Fraudulent tokenization in virtual wallets
- OTP used for enrollment rather than purchase authentication
- Industrialization of wallets with multiple stolen cards
- NFC relay and Ghost Tap attacks
1.3 Token Provisioning Requirements
Adding a card to Google Wallet requires passing multiple security checks:
| Requirement | Description | How Carders Bypass |
|---|
| Device integrity | Play Integrity API validates device is not compromised | Use clean, non-rooted devices |
| Cardholder verification | CVC and address verification (AVS) | Use fullz with complete billing data |
| Issuer authentication | May require OTP or banking app approval | Requires OTP interception or SIM swap |
| Terms of Service acceptance | User must accept issuer ToS | Can be spoofed |
Token provisioning flows:
| Method | Description | Fraud Viability |
|---|
| Manual entry | User types card details into Google Wallet | High — most common method |
| OCR scanning | Camera captures card number and expiry | Medium — requires physical card or high-quality image |
| Card on file | Select from saved Google Account cards | Low — requires prior account compromise |
| Bounce provisioning | Redirect to issuer's banking app | Low — requires issuer app access |
1.4 Automation Scripts for Token Provisioning
According to research, carders have developed
automation scripts that attempt card additions at intervals, exploiting banks' mobile wallet enrollment processes if login details are compromised. These scripts can:
- Attempt to add multiple cards to digital wallets
- Bypass OTP requirements through phishing or malware
- Automate token provisioning at scale
1.5 Device Inactivity and Token Deletion
Critical for operational security: Google deletes tokens after
90 days of device inactivity. To keep tokens active:
- Device must be powered on and connect to Google's servers at least once every 90 days
- Tokens can be manually deleted by users or automatically deleted after factory reset, account removal, or device wipe
Operational implication: If you provision a card and don't use it within 90 days, the token will be deleted automatically. Plan your operations accordingly.
Part 2: Ghost Tap — The NFC Relay Attack
2.1 What Is Ghost Tap?
Ghost Tap is a sophisticated NFC relay attack that enables remote payment fraud without physical access to the victim's card. The term "Ghost Tap" has been adopted by the English-speaking security community to describe this phenomenon.
The attack uses two components:
| Component | Function | Location |
|---|
| Reader app | Captures payment data when victim taps physical card | Victim's Android device (infected via malware) |
| Tapper app | Relays payment data to POS terminal | Carder's device |
How Ghost Tap works:
- Initial infection: Victim receives phishing SMS or call (smishing/vishing) and is tricked into installing malicious APK. According to Group-IB, victims are lured into installing these apps through campaigns that promise legitimate financial or utility services.
- Card capture: Malware prompts victim to tap their physical bank card against their phone's NFC sensor. Victims are told this is for "identity verification" or "payment information updates".
- Data relay: Captured NFC payment data is encrypted and sent to carder-controlled C2 server. The malware establishes a WebSocket connection to relay Application Protocol Data Units (APDUs) between devices.
- Remote transaction: Carder's device receives the data and relays it to a POS terminal or ATM. The carder's device emulates a legitimate payment card, and to the POS terminal, the transaction appears completely legitimate.
- Cashout: Funds are withdrawn or used to purchase high-value goods.
Technical explanation from Group-IB researchers: "This technique allows criminals to complete payments or cash-out remotely as though the victims' cards were physically present."
2.2 The Ghost Tap Vendor Ecosystem
The Ghost Tap ecosystem has professionalized into a full Malware-as-a-Service industry, primarily operating through Chinese carding communities on Telegram. These tools are marketed under monikers such as "CardWallet" or "Remote Pay".
Major vendors identified by Group-IB:
| Vendor | Established | Subscribers | Key Features | Pricing |
|---|
| TX-NFC | January 7, 2025 | 21,000+ | Separate reader/tapper apps, 24/7 customer support | 45/day−45/day−1,050/3 months |
| X-NFC | December 16, 2024 | 5,000+ | Single app can act as reader or tapper | Varies |
| NFU Pay | April 1, 2025 | Growing | Dual-use feature, uses MQTT protocol | 25/day−25/day−650/lifetime |
| PhantomCard | August 2025 | New | Likely derivative of NFU Pay | Varies |
TX-NFC detailed analysis:
- Uses 360 Jiagu packer for obfuscation
- Initiates APDU2PAY.SYS.DDF01 command to extract Application Identifiers (AIDs)
- Establishes WebSocket connection to relay data between devices
- Customer support staff operate on shifts (18:00 to 10:00 & 08:00 to 12:00 Beijing time)
- Support offered in English, indicating global targeting
NFU Pay detailed analysis:
- Uses MQTT protocol for data transmission between devices via WebSockets
- Employs expansive array of permissions including FOREGROUND_SERVICE_DATA_SYNC and USE_EXACT_ALARM
- Maintains persistence and synchronizes data through background services
- Also redistributed by other vendors under different names
2.3 The POS Terminal Connection
A critical component of the Ghost Tap ecosystem is the availability of
illegitimately acquired POS terminals for cashout. Security researchers discovered a direct link between malware vendors and illegal hardware suppliers.
The Oedipus network:
- Telegram channel "Oedipus" has been operating since November 11, 2024
- Over 500 subscribers at time of detection
- Advertises POS terminals from financial institutions worldwide (Middle East, Africa, Asia)
- These terminals are used specifically for cashout after NFC payment data has been relayed
- Records show approximately $355,000 in transactions between November 2024 and August 2025 through this channel alone
How the ecosystem connects:
2.4 Ghost Tap vs. Traditional Carding: Two Different Approaches
| Aspect | Traditional Carding | Ghost Tap |
|---|
| Target | Card number, CVV, billing address | Physical card's NFC data |
| Access method | Purchase from CC shops | Phishing, malware installation |
| Transaction type | Card-not-present (online) | Card-present (tap-to-pay) |
| Authentication | AVS, CVV, sometimes 3DS | Biometric (device unlock) |
| Monetization | Online purchases, gift cards, resale | Physical POS transactions, ATM withdrawals |
| Tokenization bypass | Not applicable — uses FPAN | Relays legitimate NFC data |
| Legal exposure | Lower | Higher (involves malware distribution) |
Key advantage of Ghost Tap: Transactions appear as legitimate card-present transactions because the carder's device emulates a real physical card. The payment terminal cannot distinguish the relayed signal from a genuine card tap.
Key disadvantage of Ghost Tap: Requires malware distribution, which carries significantly higher legal penalties than traditional carding. This is a "force multiplier" for law enforcement investigations.
2.5 Mule Networks and Global Operations
Ghost Tap operations rely on networks of money mules who physically execute transactions in stores using devices loaded with compromised cards.
The mule ecosystem:
| Role | Function | Compensation |
|---|
| Credential thieves | Steal card data and OTPs via phishing | Sell data to syndicates |
| Relay tool developers | Create and maintain malware | Sell subscriptions |
| Mule recruiters | Find individuals to execute physical transactions | Commission from cashout |
| Mules | Travel to stores, make purchases using compromised devices | Flat fee or percentage |
| Resellers | Sell stolen goods on e-commerce platforms (eBay, Carousell) | Profit from goods |
How mules operate:
- Mules pose as tourists to avoid suspicion
- Execute in-person purchases of high-value goods (jewelry, gold, electronics)
- Operate in regions including Singapore, Malaysia, Thailand, and the Philippines
- Goods are transported across borders and resold on platforms or through same Telegram channels
Syndicate infrastructure:
- Established criminal networks with roots in scamming activities since 2020
- Operate through Telegram marketplaces like Huione Guarantee, Xinbi Guarantee, and Tudou Guarantee
- Despite Huione Guarantee's announced shutdown in May 2025, decentralized infrastructure persists
2.7 Ghost Tap Defenses (What Protects Users)
Understanding defenses helps carders anticipate countermeasures:
| Defense | Description | Bypass Difficulty |
|---|
| Disable NFC when not in use | User turns off NFC | Low — user-dependent |
| Install apps only from official sources | Google Play Protect | Medium — malware disguised as legitimate apps |
| Biometric authentication | Device unlock required for payments | High — cannot be bypassed remotely |
| Geolocation analysis | Banks check location consistency | Medium — relay introduces latency |
| Transaction velocity monitoring | Multiple taps in short timeframes | Medium — can space transactions |
| Behavioral analytics | Banks analyze transaction patterns | Medium — can mimic legitimate behavior |
Part 3: Working Flow — Phased Carding Methodology
3.1 Phase 1: Environment Setup
Google Pay requires physical Android devices (or iOS with more restrictions). Emulators are detected through Play Integrity API.
Device requirements:
| Requirement | Specification | Why |
|---|
| Device type | Physical Android (not emulator) | Play Integrity API detects emulators |
| Android version | Android 12 or higher | Supports latest security features |
| Root status | Not rooted (or properly hidden) | Google Pay detects root |
| NFC support | Required for tap-to-pay | Core functionality |
| Google Play Services | Latest version | Tokenization requires up-to-date Play Services |
Proxy configuration:
| Setting | Requirement | Why |
|---|
| Proxy type | Static residential or mobile (4G/5G) | Datacenter IPs are detected |
| Proxy location | Zip-level matching to cardholder's billing address | Prevents geo-mismatch flags |
| Proxy protocol | SOCKS5 (with VPN for device-level routing) | SOCKS5 alone doesn't route all device traffic |
For Ghost Tap attacks: The threat actor's device (tapper) does not require a proxy matching the victim's location — the relayed transaction appears as card-present at the POS terminal location. The mule's physical location becomes the transaction location.
3.2 Phase 2: Google Account Preparation
Aged vs. fresh Google account success rates:
| Account Type | Success Rate | Characteristics |
|---|
| Aged (1+ years with transaction history) | 60-75% | Established trust, bypasses new-user scrutiny |
| Fresh (0-30 days) | 35-50% | Higher scrutiny, limited transaction limits |
| Fresh with warmup (3-5 days) | 45-55% | Basic trust through app downloads, browsing |
Account warmup protocol:
| Day | Actions | Duration |
|---|
| Day 1 | Login, browse Play Store, view apps | 5-10 minutes |
| Day 2 | Download 2-3 free apps, open Google Maps | 10-15 minutes |
| Day 3 | Use Google Drive, Gmail, search | 15-20 minutes |
| Day 4 | Ready for card addition (small test) | - |
3.3 Phase 3: Card Addition (Token Provisioning) — Traditional Method
Adding card via Google Wallet:
| Step | Action | Technical Detail |
|---|
| 1 | Open Google Wallet app | Ensure device is clean, no malware |
| 2 | Select "Add payment method" | - |
| 3 | Enter card details (manual entry recommended) | Number, expiry, CVV, name, address |
| 4 | Accept Terms of Service | May be skipped if previously accepted |
| 5 | Verify if prompted | OTP via SMS or banking app |
Card addition methods comparison:
| Method | Success Rate | Detection Risk | Best For |
|---|
| Manual entry | 60-70% | Low | Most operations |
| OCR scanning | 50-60% | Medium | Cards with physical access |
| Card on file | 70-80% | Low | Compromised Google accounts |
| Bounce provisioning | 40-50% | Low | Issuer app access required |
3.4 Phase 3 Alternative: Ghost Tap Card Capture
The Ghost Tap infection chain:
| Step | Action | Technical Detail |
|---|
| 1 | Targeting | Victims receive smishing (SMS phishing) or vishing (voice phishing) messages |
| 2 | APK Installation | Victim tricked into downloading malicious APK from outside Play Store |
| 3 | NFC Capture | App prompts victim to tap bank card against phone for "verification" |
| 4 | Data Exfiltration | NFC data (including track data, PAN, expiry) sent to C2 server |
| 5 | Relay to Tapper | Data transmitted to carder's device via WebSocket/MQTT |
| 6 | Transaction Execution | Carder taps device at POS terminal or ATM |
Malware permissions requested by Ghost Tap apps:
- android.permission.NFC — Required for NFC communication
- android.permission.INTERNET — Required for C2 communication
- android.permission.FOREGROUND_SERVICE_DATA_SYNC — Background operation
- android.permission.USE_EXACT_ALARM — Persistence and timing
3.5 Phase 4: Escalating Purchase Strategy
Transaction progression protocol:
| Step | Amount | Wait Time | Purpose |
|---|
| 1 (Test) | $5-10 (in-app purchase) | N/A | Validate token works, test OTP triggers |
| 2 (Confirmation) | $50-100 (NFC tap) | 10-15 minutes | Establish pattern, test velocity thresholds |
| 3 (Scale) | $100-200 | 24 hours | Build trust, increase limits |
| 4 (Maximize) | $200-500 | 24-48 hours | Extract maximum value |
Transaction types by detection risk:
| Transaction Type | Detection Risk | OTP Likelihood | Best For |
|---|
| Google Play in-app purchase | Low | Very Low | Testing, small amounts |
| NFC tap (retail) | Medium | Low | Physical goods, higher limits |
| Online checkout (Pay with Google) | Medium | Low | Digital goods, gift cards |
| ATM withdrawal | High | Medium | Cashout (requires special setup) |
3.6 Phase 5: iOS Considerations
iOS is harder but possible due to Apple's Secure Element and stricter app sandboxing:
| Factor | Android | iOS |
|---|
| Device access | Full control (root possible) | Very restricted |
| App installation | APK sideloading allowed | App Store only (unless jailbroken) |
| NFC access | Apps can access NFC | Very restricted for third-party apps |
| Tokenization | Google manages | Apple's Secure Enclave |
| Success rate | 45-65% | 30-45% |
iOS approach for Ghost Tap: Threat actors have adapted Ghost Tap techniques for Apple Pay as well. The SuperCard X malware-as-a-service platform supports both iOS and Android devices, relaying NFC signals containing Answer To Reset (ATR) messages to emulate legitimate cards.
Part 4: Card Types and Success Rates
4.1 Card Requirements for Google Pay
Optimal card characteristics:
| Characteristic | Requirement | Why |
|---|
| VBV status | Non-VBV or Auto-VBV with OTP control | Prevents 3DS challenges during provisioning |
| Card type | Consumer Credit (not Prepaid) | Prepaid cards often rejected for tokenization |
| Billing address | Full address with ZIP | Required for AVS during provisioning |
| Fullz availability | Phone number and email access | Required for OTP bypass |
| Issuer | Small/regional bank, credit union | Lower fraud detection |
4.2 Success Rates by Card Type
| Card Type | Success Rate | Notes |
|---|
| Non-VBV fullz with phone/email access | 45-65% | Optimal — can intercept OTP if triggered |
| Auto-VBV fullz | 35-55% | Requires working OTP interception |
| Basic CVV only | <25% | High decline rate, frequent 3DS triggers |
| Prepaid cards | <15% | Many issuers block tokenization for prepaid |
| Geo-mismatched (different region) | <20% | AVS/geo flags likely |
Chargeback risk: 60-75% — resale within 24 hours essential to outpace detection
4.3 Geographic Matching Impact
| Match Level | Success Rate | Explanation |
|---|
| Full match (IP city = billing ZIP = device location) | 55-65% | Optimal — passes all geo-checks |
| Partial match (state only) | 30-45% | Risk of AVS mismatch or geo-flag |
| Mismatch | <20% | High decline rate, likely OTP trigger |
Part 5: Monetization — Cashing Out
5.1 NFC Tap to Physical Goods
Process:
- Add card to Google Wallet
- Tap phone at retail POS terminal
- Purchase high-value, easily resellable items (electronics, gift cards, luxury goods)
- Resell goods for cash or crypto
Advantages:
- No shipping address required (physical pickup)
- Immediate receipt of goods
- Card-present transaction has higher success rates
Disadvantages:
- Requires physical presence or accomplice (mule)
- Higher risk of CCTV capture
- Limited to locations with contactless POS
5.2 Ghost Tap Remote Cashout (Advanced)
The professionalized Ghost Tap ecosystem provides a complete cashout infrastructure:
| Component | Function | Cost/Availability |
|---|
| Reader malware | Captures card data from victim | 45/day−45/day−1,050/3 months |
| Tapper app | Relays data to carder's device | Included in license |
| POS terminals | Illegitimate terminals for cashout | Via Oedipus channel (affiliate) |
| Money mules | Physical cashout in various countries | Recruited via Telegram marketplaces |
How Ghost Tap cashout works:
- Malware installed on victim's device via phishing (smishing/vishing)
- Victim taps card to "verify" (actually captures NFC data)
- Carder receives relayed data through C2 server
- Carder (or mule) taps their device at POS terminal or ATM
- Cash or goods obtained
Scale of Ghost Tap operations:
- 54+ malware variants identified
- Distributed via Telegram with 21,000+ subscribers (TX-NFC channel alone)
- At least $355,000 processed through one POS vendor channel (Oedipus)
- Active in US, Singapore, Czech Republic, Malaysia, China
5.3 In-App Purchases (Google Play)
Process:
- Add card to Google Wallet
- Make in-app purchases (game currency, subscriptions, digital goods)
- Resell accounts or digital goods
Advantages:
- Fully remote (no physical presence)
- Lower detection risk
- Instant delivery
Disadvantages:
- Lower per-transaction limits
- Some purchases are non-transferable
5.4 Gift Card Purchases
Process:
- Add card to Google Wallet
- Purchase e-gift cards from supported merchants (e.g., Google Play Gift Card, other retailers)
- Resell gift cards on P2P exchanges or Telegram
Gift card resale rates:
| Gift Card Type | Resale Rate | Best For |
|---|
| Google Play | 65-75% | Immediate resale |
| Amazon | 70-80% | High liquidity |
| Walmart | 65-75% | Physical goods pickup |
| Target | 60-70% | Groceries, essentials |
5.5 Crypto Conversion
Process:
- Add card to Google Wallet
- Use card to purchase crypto on supported platforms (if available)
- Or use cashout via P2P exchanges after converting to gift cards
Platforms for crypto cashout (low verification):
- ChangeHero (no KYC for smaller amounts)
- P2P exchanges (Bisq, LocalMonero)
- Telegram crypto vendors
Part 6: Post-Hit Cleanup and OPSEC
6.1 Per-Session Cleanup
| Action | Why |
|---|
| Factory reset device | Removes all traces, token associations |
| New proxy per operation | Prevents IP-based correlation |
| New Google account per card | Prevents account-level flags |
| New device (or fresh flash) | New hardware fingerprint |
Token deletion behavior:
| User Action | Token Status |
|---|
| Factory reset | Deleted after 90 days |
| Remove Google Account | Deleted after 90 days |
| Clear Google Wallet data | Deleted after 90 days |
| Manual deletion in Wallet | Immediately deleted |
| Remove device lock | Immediately deleted |
6.2 Device Management
| Best Practice | Why |
|---|
| Use dedicated devices per operation | Prevents cross-contamination |
| Avoid rooting (or properly hide) | Google Pay detects root |
| Disable NFC when not in use | Prevents accidental exposure |
| Keep device clean — no personal apps | Prevents identity correlation |
6.3 Token Lifecycle Management
Token states:
| State | Description | Action Required |
|---|
| Active | Token can be used for payments | Maintain device activity |
| Suspended | Token temporarily disabled (suspicious activity) | Contact issuer (impossible for fraud) |
| Deleted | Token permanently removed | Provision new token |
Keep tokens active: Device must be powered on and connect to Google's servers at least once every 90 days.
Part 7: Tools and Infrastructure
7.1 Proxy Providers
| Provider | Type | Features | Cost |
|---|
| IPRoyal | Static residential | Zip-level targeting | $2-20/GB |
| 922 Proxy | Residential/mobile | 200M+ IPs, SOCKS5 | $20-50/month |
| LTE Easy | Mobile 4G | Cellular IPs | $30-50/month |
Proxy requirements for Google Pay:
- Must be residential or mobile (datacenter IPs are detected)
- Must match cardholder's billing region (city/zip level)
- SOCKS5 alone insufficient — device needs VPN for system-wide routing
7.2 Ghost Tap Malware Tools (Threat Awareness)
The following malware tools have been identified by security researchers:
| Tool | Vendor | Function | Detection Notes |
|---|
| NGate | Various | NFC relay | First variant identified August 2024 |
| ZNFC | Various | NFC relay | Identified February 2025 |
| SuperCard X | Various | NFC relay | MaaS platform, April 2025 |
| PhantomCard | Various | NFC relay | Identified August 2025 |
| TX-NFC | TX-NFC | Reader/tapper pair | Largest vendor, 21K+ subscribers |
| X-NFC | X-NFC | Dual-use app | 5K+ subscribers |
| NFU Pay | NFU Pay | MQTT-based relay | April 2025 |
Warning: These tools require installation on victim devices via social engineering (smishing/vishing). This significantly increases legal exposure compared to traditional carding. The Spring 2025 Visa Payment Ecosystem Risk and Control report confirms the persistent use of NFCGate-based malware for relay fraud.
7.3 Anti-Detect Tools
| Tool | Purpose | Best For |
|---|
| Dolphin{anty} | Browser fingerprint control | Online transactions, Google Pay web interface |
| Physical Android devices | Google Wallet app | NFC tap-to-pay, in-app purchases |
For NFC tap-to-pay, you need physical Android devices. Emulators cannot emulate the secure element required for token storage.
7.4 Card Shops (BIN Sources)
| Shop | BIN Quality | Refund Policy | Notes |
|---|
| WCC | High (premium) | Check-time window | Trusted for fullz |
| Ronaldo | High (premium) | Check-time window | Good for US fullz |
| Castro | Medium | Limited refunds | Mixed reviews |
Card selection for Google Pay:
- Prioritize non-VBV fullz with phone/email access
- Target BINs from smaller regional banks
- Avoid prepaid cards (often blocked for tokenization)
Success Rate Summary Table
| Operation Type | Success Rate | Notes |
|---|
| Non-VBV fullz with OTP control, aged Google account | 55-65% | Optimal configuration |
| Non-VBV fullz, fresh Google account with warmup | 45-55% | Acceptable for beginners |
| Auto-VBV fullz with OTP control | 35-45% | Requires working OTP interception |
| Basic CVV only, any account | <25% | High decline rate |
| Geo-mismatched (different region) | <20% | AVS/geo flags likely |
| Prepaid cards | <15% | Often blocked for tokenization |
| Ghost Tap relay attacks | 60-80%* | *Depends on victim cooperation; higher legal risk |
Chargeback risk: 60-75% — resale within 24 hours essential to outpace detection
Conclusion
Google Pay carding in 2026 requires a sophisticated understanding of tokenization, NFC security, and the emerging Ghost Tap ecosystem. The most viable approaches are:
- Traditional carding: Add stolen cards to Google Wallet via manual entry, use for in-app purchases or NFC taps, monetize through gift cards or physical goods resale. Success rates: 45-65%.
- Ghost Tap relay attacks: Exploit NFC relay to execute card-present transactions without physical card access. Requires malware deployment via phishing. Success rates: 60-80% for victim cooperation, but significantly higher legal exposure.
The critical success factors for Google Pay carding are:
- Physical Android devices — Emulators are detected
- Non-VBV fullz with OTP control — Phone/email access enables OTP bypass
- Precise geo-matching — Proxy IP, billing address, and device location must align
- Rapid monetization — 24-72 hour chargeback windows require immediate cashout
- Device cleanliness — No root, no malware, fresh factory reset per operation
The evolving threat landscape:
- Financial fraud has entered the "Carding 3.0" era, with tokenization fraud replacing physical skimming
- Ghost Tap has professionalized into Malware-as-a-Service with global reach (54+ variants, 21,000+ subscribers)
- Banks are deploying enhanced fraud detection algorithms and geolocation analysis
- Visa's Spring 2025 Payment Ecosystem Risk and Control report confirms persistent use of NFCGate-based malware
Alternatives with lower barriers: Apple Pay offers similar NFC flows but with stricter verifications and hardware-based security (Secure Enclave). Ghost Tap attacks work on both platforms but require malware deployment.
